Use Fingerprints to determine the authenticity of an Internet website - gHacks Tech News

Use Fingerprints to determine the authenticity of an Internet website

It may sometimes be useful for security purposes to make sure that you are connected to the right website, and not a spoofed copy of it. While this may be less of an issue at home, you may run into all sorts of troubles when you are using public Internet connections.

It is rather difficult on first sight to make sure that you are really connected to the right secure website and not a copy that traffic gets redirected to. This can for instance be done by spoofing a site's certificate

One of the options that you have in regards to https connections is to use fingerprints for verification, as fingerprints cannot be spoofed. So to make sure you are on the right site, you compare the fingerprint of its certificate in your browser against a trusted source that provides you with fingerprint records of its own.

Looking up fingerprint certificates

Each web browser handles this in a different way:

Firefox

fingerprint firefox

  1. Click on the lock icon in the browser's address bar and select more information from the menu.
  2. Select View Certificate on the new window that opens up.
  3. Locate the fingerprint section on that page.

Google Chrome

google chrome certificate

  1. Click on the lock icon in the browser's address bar.
  2. Switch to connection and on that page on certificate information.
  3. Switch to details on the new window and locate Thumbprint at the bottom of the listing.

Opera 15+

  1. Click on the secure lock icon in the address bar and select details from the menu that opens up.
  2. Click on the certificate link that is displayed.
  3. Switch to the details tab and check the Thumbprint field value here.

Internet Explorer

  1. Right-click on the page and select Properties from the context menu.
  2. Select Certificates on the properties page.
  3. Switch to the details tab, make sure that show is set to all, and scroll down until you find the thumbprint field.

Verifying the fingerprint of a website

Now that you know how to look up the fingerprint of a website's or server's certificate, it is time to compare the fingerprint using a second source.

The GRC website can be used for that purpose. Just visit the fingerprint page on it and either look at one of the popular fingerprints at the top, or enter the website you want to retrieve the certificate fingerprint for below in the form.

website certificate fingerprint

All you have to do is compare the fingerprint displayed in the web browser to the certificate pulled by the script on the GRC website.

As a side note: Make sure the GRC website shows a green listing and lock icon in Firefox, Chrome or Opera, as this is an indicator of an authentic Extended Validation Certificate.

Once you have have compared the fingerprint that is displayed in your web browser of choice to the fingerprint that the GRC website provides you with, you know that the connection is either valid or spoofed.

Exception: Companies may use multiple certificates which all come with their unique fingerprint. Depending on which server you are connected to, it may mean that the certificate differs even if you are connected to the real website or server.

Closing Words

The technique is ideal to make sure you are connected to the right secure website. While it may not provide you with a definitive answer that a certificate is spoofed if fingerprints do not match, it still may make you more cautious because of it.





  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Tom said on July 27, 2013 at 9:19 am
      Reply

      I am sorry. Unless you are one of the few over paranoid Wed users, you are not going to go through all those hoops to verify a website. The whole purpose of the Web (now) is convenience. Those who use the Web are bombarded with more and more convenient ways to simply do what was more difficult before.

      The fingerprint idea is great for the paranoid. But, for it to be of any use for the masses, it needs to be incorporated into the browsers so it is check automatically in the background and then WARN users that the site they are visiting is corrupted some way.

      I have a number of add-ons I use to help steer me away from trouble, but common sense is my best weapon.

      1. Martin Brinkmann said on July 27, 2013 at 9:35 am
        Reply

        Tom I do agree that this is taking it a bit far, but the idea here is to highlight that you can verify it. So, if you suspect that someone is tapping your line or attacking you, then you may want to check your connections.

        Also, it does not make sense to verify them all. While I would for instance verify my connection to PayPal, I may not do so if I want to search on Google.

        1. imu said on July 27, 2013 at 4:08 pm
          Reply

          Speaking of paranoia you can also verify how secure is encrypted connection to your PayPal or your Bank server..

          https://www.ssllabs.com/ssltest/index.html

    2. Transcontinental said on July 27, 2013 at 10:35 am
      Reply

      Most interesting. I wonder why no add-on (as far as Firefox is concerned) has been created to automate this task (as fa as I know).

      A major handicap is the exception possibility mentioned in the article. Consequently, if fingerprints checksums match, it’s ok; if they don’t it might still be ok. I admit this may lead to fruistration in the latter case.

    3. Nebulus said on July 27, 2013 at 11:13 am
      Reply

      @Transcontinental: I think that the reason that no add-on was created to check the fingerprints is the second part of your comment :) (it would create confusion/frustration among many users).

      1. Transcontinental said on July 27, 2013 at 12:28 pm
        Reply

        True, Nebulous, I agree. The fact is I thought about this but a bit too late.

    4. Tim said on July 27, 2013 at 11:24 am
      Reply

      For anyone who’s interested, if using IE once you’ve identified a legitimate certificate, you can use the ‘Certificate Pinning’ feature in EMET 4.0 which will warn you if the certificate changes or expires.

    5. Pawan said on July 28, 2013 at 3:43 am
      Reply

      I agree with this invention, its really nice for everyone!

    6. Dilemma said on July 28, 2013 at 8:35 am
      Reply

      Firefox addon is available to check these for you automatically.
      Chrome version isn’t automatic because of API limitations,
      Both available via http://www.signaturecheck.org

    7. thetechart said on October 24, 2013 at 2:25 pm
      Reply

      Use Fingerprints to determine the authenticity of an Internet website. http://www.thetechart.com/how-to-download-torrentz-file-using-idm/

    Leave a Reply