This is an article to make people aware that just because you get a padlock in your browser does not mean you’re talking to the original server, the padlock in your browser, there is also a certificate called EV - this stands for extended validation, but it does not mean this certificate issue to your browser is the correct original certificate.
Preface
This post is simply like the matrix, you have two choices:
Blue Pill
I’m quite happy in my little dream world, take me back to the land of unicorns, pixies, elves, and talking trees…..
Red Pill 💊
Are you interested in all this SSL stuff? Do you want to know how deep the rabbit hole goes? Have you always wondered about padlock? Would you like to learn about SSL thumbprints?
Excellent, take the pill with that glass of water and continue reading……
HTTPS Interception
If you send a HTTPS request to your remote website, the proxy server sees this request to terminates the connection there then the proxy server connects to the original host on your behalf, which means your browser thinks it’s talking to the remote server when an actual fact it’s talking to the proxy server, you and your browser, or none the wiser - your browser look for a certificate, and you look for the little padlock.
VPN on open Wi-Fi
If you are using open Wi-Fi always insist on using a VPN which you can pay but choose carefully, or build one yourself - or better yet on the side, menu bar, find my free VPN section and use that - no cost to you, and no strings attached.
Why VPN matters!
If you are not, this could have been the same way open wireless networks, not to mention networks with weak WPA keys, in this situation, you can spoof the access point name and Wi-Fi being lazy will connect to the strongest access point, so if your laptop happens to be called the same name as the Wi-Fi, the other side of the coffee shop, your phone will connect to the laptop not the original Wi-Fi - yes this is spoofing and SSID, if you want to spoof SSID Networks in a vehicle that is called war driving - but I digress.
Corporate environments
If you have a proxy server through your corporate environment this does not have to be a proxy server, many firewalls or gateways, now off of this particular feature, ironically, it falls in the category of “ keeping you secure” when in certain scenarios, this particular service does the complete opposite,
Depending on who is managing your proxy, HTTPS is particularly helpful for organizations at DLP, malware detection, dangerous script detection, however, as you’ve learned from the bottom of your traffic is intercepted and reestablished dynamically in your browser, that causes a couple of issues, many applications require actual communication with the remote server, so for many applications, you will notice that HTTPS inspection is not supported, however, there’s a high chance that does not stop your company trying to use it, if this is the case, the solution will not work correctly or not work at all.
HTTPS Inspection - is it setup well?
HTTPS inspection only offers very good protection, if it’s set up correctly, for many solutions it’s not just a case of flipping a switch box to enabled, you have some certificates and certificate chains to get correct, then you actually need to set up policies that will protect you and these should be custom to your individual requirements for your corporate environment.
Unfortunately as the end-user, you will not know what has been set up and what instructed it to monitor and analyze, however, that does not mean you cannot detect it’s being used.
HTTPS Inspection 🔒 - White Line
This technology is sold as a security benefit. However, it also comes with legal ramifications due to the amount of data you can get from the traffic that would otherwise be invisible, you should not really be inspecting anything to do with health or banking as it crosses quite a few moral lines, however, some companies will choose to do it anyway.
Here you can see the legal warning in TMG
Enabling this feature in your corporate environment, usually requires HR approval, and sometimes compliance due to the nature of how this works, however, let’s face facts here - policies and restrictions will not stop people behaving, insecurely - usually the more you restrict and prohibit some think the more people try and get around it, that doesn’t just apply to technology or security that applies to everything in life
The goal is not to lock them down and restrict them and deny them access to services they need, the goal here is to provide solutions, if you are enabling security feature, that intercepts uses trafficyou need those users to trust what you do with the data you collect, if they don’t users find ways to do it, without your protection and enforcement, and lockdown - I’ve seen this happen far too much.
HTTPS Inspection - How to Tell 💵
Certificate and Chain check
So, if you think your traffic is being inspected, there are a couple of tests you can do to see if this is the case. Warren is very simple to do and the other is a bit more interesting scientific and technical.
The first test is to visit a website and look at the SSL certificate on the chain, if you are using HTTPS inspection, you will not have a proper certificate chain attached to that certificate, HTTPS was invented to stop people intersect in your communications with a secure channel, protected by public and private key 🔐
If you for example, visit Amazon and you noticed that the certificate is trusted by suspiciously looking internal naming convention, or it’s not using an external authority then there is a very high chance. You are talking to a subordinate certificate that can pretend to be other domains and buy definition is trusted in your workplace, meaning you will see the padlock but the thumbprint and chain will be wrong,
HTTPS Inspection : Test
The whole point of HTTPS inspection is to look for from the security point of view things that aren’t correct with HTTPS traffic, which would mean if the policy is set up correctly, you should only be allowing web traffic through that policy, so if the policy has been turned on to hide behind the shield of “keeping you secure” when more accurately with the truth, it’s more like “keeping checks on what you’re up to”
You would expect that policy or policies to stop certain types of behavior, unfortunately, if you need to know more about this, you will need to access my restricted blog to view those details, you need an invitation to access that blog, if you would like to amble in that direction click here
SSL Thumbprints
This is how you tell when HTTPS is inspection is being used, if you want to find out, it’s a manual process because he usually people don’t want you to know this is happening, however, life is a journey about self learning and being vigilant so let’s get started…..
Perfect example is to take my blog URL which is https://a6n.co.uk next we need to get some values from the certificate so to do this your can use you browser or the internet, both will be covered here, first these are mine on the current certificate….
My Blog Thumbprint (and more)
MD5 Hash : d7e306246e96196034bdbf66cd8776e7
SHA1 Hash : 560a3a39814b35cff47969dfe9a6a11b86d383d5
SSL Fingerprint: 56:0a:3a:39:81:4b:35:cf:f4:79:69:df:e9:a6:a1:1b:86:d3:83:d5
Reference source : Baseline
Before you embark on, checking the thumbprint, you first need to know what it is, you cannot check it on your normal connection because how do you know what the thumbprint should be - so first you need to establish exactly what the thumbprint should be, also be mindful that when the certificate updates, this thumbprint will also change, so the issued from and the issue too I just as important in this scenario.
I do not advise you to get paranoid about stuff like this, and you don’t need to go out and buy a tinfoil hat to protect your head from mine control device’s it’s not about that, this is simply a reference guide, raising your awareness, as if you know why it is miss matching or why it doesn’t match when you’re at work you can make better calculated decisions.
Just because your security department tell you the traffic is secure and protected is fantastic. Remember companies are protecting themselves from a legal liability point of view, they are not protecting you as the user.
Internet Lookup Method (reference source)
If you wish to look up thumbprint using the Internet in the best way to do it with a site I would recommend called https://crt.sh
This site I will show you every certificate that’s ever been used on any website, which is helpful because it also tracks if people have let their certificates expire, you can also get quite a bit more information than that, let’s dive in……
The the domain you wish to search for in the box like this, you do not need the https://
That will then return all the certificates used with that domain, as below:
Then click on the required certificate and the thumbprint will be shown as highlighted below:
Browser Lookup method
If you are using your browser, I have outlined a couple of browsers below, however, remember you should not be using Internet explorer what’s the weather you should be using Edge, if you are using Edge, you can follow the same process for Chrome.
Internet Explorer:
- Right-click somewhere on the page.
- Select “Properties” at the bottom of the pop-up menu.
- Click the “Certificates” button on the Properties page.
- Verify that the “Issued to” name exactly matches a6n.co.uk/www.a6n.co.uk
- Click the “Details” tab to change views.
- Set the “Show” selector to “<All>” if it isn't already.
- Scroll down to the end of the list to “Thumbprint” (which is what Windows calls it).
- Click on the “Thumbprint” item to select it and show the full thumbprint in the window.
Google Chrome:
- Click on the padlock at the far left end of the URL address bar.
- Select the “Connection” tab.
- Click on “Certificate Information”.
- Verify that the “Issued to” name exactly matches a6n.co.uk/www.a6n.co.uk
- Click the “Details” tab to change views.
- Set the “Show” selector to “<All>” if it isn't already.
- Scroll down to the end of the list to “Thumbprint” (which is what Windows calls it).
- Click on the “Thumbprint” item to select it and show the full thumbprint in the window.
Mozilla Firefox:
- Click on the padlock at the far left end of the URL address bar.
- Click the More “Information...” button.
- Click the “Security” icon/tab at the top of the “Page Info” dialog.
- Click “View Certificate”.
- Verify that the certificate's name under “Common Name (CN)” exactly matches a6n.co.uk/www.a6n.co.uk
- The SHA1 fingerprint is shown under “Fingerprints”.
Apple Safari:
- Click the [https padlock] icon at the far left end of the URL address bar.
- Click “Show Certificate”.
- Click the arrow to expand the “Details”
- Verify that the certificate's “Common Name” exactly matches a6n.co.uk/www.a6n.co.uk
- Scroll to the bottom to view the certificate's SHA1 Fingerprint.
Internet Explorer:
- Right-click somewhere on the page.
- Select “Properties” at the bottom of the pop-up menu.
- Click the “Certificates” button on the Properties page.
- Verify that the “Issued to” name exactly matches a6n.co.uk/www.a6n.co.uk
- Click the “Details” tab to change views.
- Set the “Show” selector to “<All>” if it isn't already.
- Scroll down to the end of the list to “Thumbprint” (which is what Windows calls it).
- Click on the “Thumbprint” item to select it and show the full thumbprint in the window.
Google Chrome:
- Click on the padlock at the far left end of the URL address bar.
- Select the “Connection” tab.
- Click on “Certificate Information”.
- Verify that the “Issued to” name exactly matches a6n.co.uk/www.a6n.co.uk
- Click the “Details” tab to change views.
- Set the “Show” selector to “<All>” if it isn't already.
- Scroll down to the end of the list to “Thumbprint” (which is what Windows calls it).
- Click on the “Thumbprint” item to select it and show the full thumbprint in the window.
Mozilla Firefox:
- Click on the padlock at the far left end of the URL address bar.
- Click the More “Information...” button.
- Click the “Security” icon/tab at the top of the “Page Info” dialog.
- Click “View Certificate”.
- Verify that the certificate's name under “Common Name (CN)” exactly matches a6n.co.uk/www.a6n.co.uk
- The SHA1 fingerprint is shown under “Fingerprints”.
Apple Safari:
- Click the [https padlock] icon at the far left end of the URL address bar.
- Click “Show Certificate”.
- Click the arrow to expand the “Details”
- Verify that the certificate's “Common Name” exactly matches a6n.co.uk/www.a6n.co.uk
- Scroll to the bottom to view the certificate's SHA1 Fingerprint.
Internet Explorer:
- Right-click somewhere on the page.
- Select “Properties” at the bottom of the pop-up menu.
- Click the “Certificates” button on the Properties page.
- Verify that the “Issued to” name exactly matches a6n.co.uk/www.a6n.co.uk
- Click the “Details” tab to change views.
- Set the “Show” selector to “<All>” if it isn't already.
- Scroll down to the end of the list to “Thumbprint” (which is what Windows calls it).
- Click on the “Thumbprint” item to select it and show the full thumbprint in the window.
Google Chrome:
- Click on the padlock at the far left end of the URL address bar.
- Select the “Connection” tab.
- Click on “Certificate Information”.
- Verify that the “Issued to” name exactly matches a6n.co.uk/www.a6n.co.uk
- Click the “Details” tab to change views.
- Set the “Show” selector to “<All>” if it isn't already.
- Scroll down to the end of the list to “Thumbprint” (which is what Windows calls it).
- Click on the “Thumbprint” item to select it and show the full thumbprint in the window.
Mozilla Firefox:
- Click on the padlock at the far left end of the URL address bar.
- Click the More “Information...” button.
- Click the “Security” icon/tab at the top of the “Page Info” dialog.
- Click “View Certificate”.
- Verify that the certificate's name under “Common Name (CN)” exactly matches a6n.co.uk/www.a6n.co.uk
- The SHA1 fingerprint is shown under “Fingerprints”.
Apple Safari:
- Click the [https padlock] icon at the far left end of the URL address bar.
- Click “Show Certificate”.
- Click the arrow to expand the “Details”
- Verify that the certificate's “Common Name” exactly matches a6n.co.uk/www.a6n.co.uk
- Scroll to the bottom to view the certificate's SHA1 Fingerprint.
This will then confirm the thumbprint, as you can see from above the SHA1 is what you’re looking for, this should match the thumbprint on the reference source.