I’ve talked a lot about HTTPS (and we talked about it in podcast Episode 054), but no one really explains how to make sure your connection is really valid. In some situations I have wanted to look beyond the green padlock icon. This concern has grow with reports of various public Wi-Fi services intentionally breaking HTTPS connections. Hardware manufacturers have shipped devices with what amounts to pre-installed malware for the same purpose. I’ve written about this before but I thought it was worth doing a video on HTTPS certificate fingerprinting.
HTTPS – What it is and Isn’t
Before we go into that, let’s talk briefly about why HTTPS is important. Most people know that it’s important, but not many people know why. An HTTPS (Hypertext Transfer Protocol [Secure]) connection is one that is encrypted from your device to the website you are visiting. The encryption is ridiculously strong AES-128. These connections, if established properly, are (currently) impossible to break…assuming the correct “handshake” has been made and and you haven’t been served a bogus certificate. Making sure you haven’t been served a phony cert requires HTTPS certificate fingerprinting as described in the video.
The encryption a proper HTTPS connection offers is excellent. I always recommend using HTTPS versions of sites and running HTTPS Everywhere in your browser. It is not a substitute for a VPN, however. HTTPS does not protect your packet headers. The URLs to which your browse to are completely exposed in these headers, as is your true IP address. I consider this a strong layer of security, but only a layer in a much bigger picture.
Without further ado, check out the video!
HTTPS Certificate Fingerprinting
The website I talked about in the video: https://www.grc.com/fingerprints.htm