Fingerprints of our SSL Certificates

Several users have wondered why we do not publish the fingerprints (i.e., the hash value) of our SSL certificates from Thawte on our website. Some websites do this – but we do not.

When checking the fingerprints of SSL certificates, the purpose is to ensure that no third party (Man-in-the-Middle) has interfered with the connection and manipulated what appears to be a secure connection with forged certificates.

However, a Man-in-the-Middle who successfully carried out such a manipulation could also alter the content of the website at the same time, including replacing the published SSL fingerprint with their own.

If a user then checked the SSL fingerprints, the manipulated fingerprints would match the manipulated certificate. This user would conclude that the website is authentic, giving them a false – and therefore dangerous – sense of security.

We at mailbox therefore publish our SSL fingerprints on a secure, third channel. The technology used for this is called DANE, which publishes SSL fingerprints directly in the DNS system of the domain. Since a Man-in-the-Middle has no way to manipulate this data, the entries are protected by the DNSSEC system with cryptographic signatures. DANE / DNSSEC thus provides a secure, independent medium for publishing the fingerprints of SSL certificates.

Modern browsers – or corresponding modern plug-ins – can verify a website’s DANE entries and inform the user about the authenticity of the SSL certificate, for example with a color indicator.

Alternatively, you can rely on an independent verification service that retrieves the corresponding DNS entry for you – for example:
https://www.huque.com/bin/danecheck.