New toy: SSLbar

Wed Jul 2 02:04:05 EDT 2003

Adam Fields said:
> On Fri, Jun 27, 2003 at 12:56:24AM +1000, Mister Lee wrote:
>> Regarding the usefulness of SSLbar itself, its immediate purpose was
>> fingerprint display, as a (theoretically) easy means of checking a
>> cert't validity yourself, ...
>
> Maybe this is a stupid question, but exactly how are you supposed to
> use this information to verify a cert? I've done an informal survey of
> a few financial institutions whose sites use SSL, and the number of
> them that were able to provide me with a fingerprint over the phone
> was exactly zero.

If you can't get/verify the fingerprint at least once via another channel,
you can't use SSLbar to verify the cert.  About the best you can do is
ensure that you're seeing the same fingerprint every time you visit the
site.

Some commercial CAs (eg: Verisign) allow you to look up a cert that they
issued.  Say I want to verify e-gold's cert (and I trust Verisign), I can
do the following:

- Go to https://digitalid.verisign.com/services/server/search.htm and
search for www.e-gold.com.
- Click the link for e-gold's valid cert to view the details.
- Annoyingly, they don't show the SHA1/MD5 fingerprints, but they do show
the certificate details, so...
- Go to the e-gold site, and view the cert properties via the usual
click-the-little-padlock method.
- Verify the name, subject, serial number etc. against what was shown on
Verisign's site.
- Make a note of the cert fingerprints.
- Next time you visit the site you can use SSLbar to check the cert
fingerprint against your records.

Makes me think I should add a "view cert" button to SSLbar, plus maybe an
option to show the serial number in addition to SHA1 and MD5
fingerprints...

ML

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com