Hypertext Transport Protocol/Secure (HTTPS) is the backbone of internet security. It is a ubiquitious encryption that secures connections automatically. Users do not have to enable it, and the security it provides is strong. The cases of Lenovo, Dell, and GoGo Inflight Wi-Fi are all well-documented instances of HTTPS tampering. Most users blindly trust the green padlock in their address bar. You should always verify your connection is actually secure before inputting authentication credentials or financial information. When using tools like the Tor Browser this is especially relevant. It is also very important when using public Wi-Fi or other insecure wireless networks. This post details how to verify HTTPS certificates to ensure your connection is secure.
How to Verify HTTPS Certificates
View the Certificate: Begin by clicking the green padlock beside the URL bar. This will open a drop-down that provides some basic information about your connection.
Next, click the right arrow.Click “More Information”. A new dialogue will open. Look at the “Technical Details”. The encryption protocol should be TLS 1.2. Secure Sockets Layer (SSL) is an older/broken protocol and should not longer be used or trusted.
Verify HTTPS Certificates: Cursory Inspection
There are three things to initially look for when verifying a certificate. First, look at the Common Name. This should match the website you are visiting. For example, if you are visiting Bank of America’s website, the CN should be “www.bankofamerica.com”. You should be immediately suspicious if the CN does not match the website you are visiting.
Next, look at the Period of Validity. Most reputable Certificate Authorities (CA) only issue certificates for one year, though some now issue them for two or three. Be very wary if the certificate is valid for more than three years.
Finally, check out the Certificate Authority. There are a small number of reputable CAs. The most trusted and reputable are Avast, Comodo, DigiCert, GeoTrust, GoDaddy, Thawte, and Verisign. Do an internet search if you have questions about the validity of a CA.
Verify HTTPS Certificates: Detailed Inspection
You should do a more detailed inspection if any of the criteria liste above are suspect. You should also verify HTTPS certificates more fully if you are on an untrusted or insecure network. Untrusted networks include the Tor Network, and public Wi-Fi networks. Additionally, you should verify them anytime you are uncertain about your connection. Although this may seem like a lot of work, it is well worth it.
Scroll to the bottom on the certificate information and look at the fingerprints. Fingerprints are unique to their certificate, and are similiar to checksums. Like checksums, fingerprints need a known-good version for comparison, to ensure the fingerprint you see is the correct one. Therefore, we will use another website to find fingerprints for comparison. This website is https://www.grc.com/fingerprints.htm.
Navigate to the GRC fingerprinting site. In addition to some other popular websites, GRC will also display its own fingerprint at the top of the page. Next, scroll down to “Custom Site Fingerprinting”. Enter the URL to which your are browsing and click “Fingerprint Site”.
The resulting page will display the authentic fingerprint, as retrieved by GRC.com. Compare this to the fingerprint your retrieved. If the two fingerprints match, you can go forward confidently with the knowledge that your connection is secure.
In addition to all the other security tasks I recommend, this may seem like a lot of work. I don’t necessarily recommend you do this for every single website you visit, but I do recommend it for high-risk scenarios. Taking the time to verify HTTPS certificates gives you much more solid security than blindly trusting them.
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.