Fingerprints of our SSL Certificates

Some users were surprised to find out that we do not publish the fingerprints of our SSL certificates from Thawte on our website. Some websites do, but we do not.

The reason for checking the fingerprints of SSL certificates would be to ensure that there is no ‘man in the middle’ who has activated the connection and manipulated the SSL connection with his own certificates.
However, a ‘man in the middle’ would at the same time also be able to change the content of the websites and replace the SSL fingerprint published on these sites with the SSL fingerprint he has used.
Any vigilant user wishing to check the SSL fingerprints would then see the compromised SSL fingerprints, which would match the manipulated certificate, and the user would be under the false impression that everything was perfectly fine, thereby exposing himself to risk.

mailbox.org publishes its SSL fingerprints on a secure third channel. The technology we use for this is called DANE, which publishes SSL fingerprints in the DNS system of the mailbox.org domain. In order to prevent a ‘man in the middle’ from manipulating data, the data published here via the ‘DNSSEC’ system is protected using in-house encrypted signatures. DANE/DNSSEC therefore provides a secure ‘second, independent medium’ through which the fingerprints of the SSL certificates can be published.

Modern browsers – or suitable plug-ins – can check a website’s DANE data and use independent, colored tags to inform the user about the authenticity of the SSL certificate. Alternatively, you can use an independent service to verify the SSL certificate, which can read the corresponding DNS entry for you - for example: https://www.huque.com/bin/danecheck.