16

So I'm at place A, see this sign:

Secure Connection Failed

and I'm writing the fingerprints to a piece of paper (this website is just an example):

Certificate fingerprints

Ok. Then, I go to place B (other country, etc.) then I check this site. The sign (for the self-signed cert) shows up again, OK. But: I get my paper out, and check the fingerprint of the site. It's the same.

QUESTION: With checking the fingerprint of the website, could I be 100% sure that:

  • I'm visiting the same site (server) on the two places (so no one can produce this fingerprint on other server?, MiTM?)
  • I'm secure because the content of the HTTPS connection cannot be sniffed.

p.s.: I'm using private browsing with Firefox on my notebook. The server side is mine too, I generated the self-signed certs. The notebook side were rebooted in the meantime, so I have to click again that: "I accept the risk, proceed anyway"

TildalWave
  • 10,801
  • 11
  • 45
  • 84
gasko peter
  • 843
  • 1
  • 12
  • 20
  • You are browsing via your own server to a client??? Please expand. If you are placing a self-signed cert in the equation and a server sounds like you are the man in the middle. – zedman9991 May 31 '13 at 12:08
  • If you're sure that you received the correct fingerprint the first time (ie. you're 100% sure that there was no MitM when you wrote the fingerprint on a paper) and you received the same fingerprint in another network, then yes, your assumptions are correct. – Adi May 31 '13 at 12:30
  • My notebook is the client and my server is the server. No VPN or SSH tunnel or anything, just browsing my server through the dangerous Internet. – gasko peter Jun 04 '13 at 15:12

2 Answers2

11

Yes. There is a small possibility of creating another cert with the same MD5 hash (an MD5 collision), there is basically no chance of 2 inputs having both the same MD5 and the same SHA1 hashes. This dual hash fingerprinting is used as evidence in court. You want to prove a file is the same file, or a HDD's contents didn't change while it was in Law Enforcement's hands, etc. this is how it is done.

Rod MacPherson
  • 1,057
  • 7
  • 11
  • 2
    Can you please give some authentic site/URL that says the same as you are stating? Thanks!! – gasko peter Jun 04 '13 at 15:13
  • Hpow's this? http://stackoverflow.com/questions/1323013/what-are-the-chances-that-two-messages-have-the-same-md5-digest-and-the-same-sha – Rod MacPherson Jun 06 '13 at 02:28
  • More on forensic use: "While the possibility of a hash colliding can not be discounted, but it can be reduced by increasing the effective bit length. This can be achieved by combining several hash algorithms or using more complex algorithms." http://www.dfrws.org/2010/proceedings/2010-314.pdf Page 7 – Rod MacPherson Jun 06 '13 at 03:00
  • Both DCFLDD and DC3DD use this method. http://books.google.ca/books?id=J8h8VWUmDuYC&pg=PA65&lpg=PA65&dq=dcfldd+hash+log&source=bl&ots=mSxhb2um74&sig=E471F5qeQogSXIY9u3qCpE55T2k&hl=en&sa=X&ei=1fivUYvZLOiZyAGs5YFY&sqi=2&ved=0CHIQ6AEwCA#v=onepage&q=dcfldd%20hash%20log&f=false – Rod MacPherson Jun 06 '13 at 03:02
  • As do Hardware Forensic duplicators: http://www.digitalintelligence.com/products/forensic_duplicator_2/ – Rod MacPherson Jun 06 '13 at 03:05
9

Yes, you have the guarantee that the certificate is the right one. This relies on second preimage resistance of the involved hash functions.

Resistance to collisions of a hash function h is about the hardness of finding two distinct inputs x and x' such that h(x) = h(x'). Resistance to second preimages is almost the same, except that x is fixed: given a value x, it should be infeasible to find a value x', distinct from x, such that h(x) = h(x'). That's your case here: x is the real certificate, which you verify from "place A" and then you write down h(x) on your paper. The attacker will succeed only if he can build a fake certificate x' whose hash matches what you wrote on your paper. The attacker does not get to choose x or the value you wrote on your paper; he must work within these constraints.

The nuance is of some importance because though MD5 is thoroughly broken with regards to collisions (and SHA-1 has been weakened, in a still-theoretical way), MD5 resistance to second preimages is still extremely good (almost as good as the theoretical maximum, and way beyond what can be cracked with foreseeable technology). Hence your safety. You don't even need to use both MD5 and SHA-1; checking either one is sufficient.

Be sure, though, to check all hexadecimal digits. If you only check the first few of them, this makes the attacker's task much easier.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949