Identicon for SSL certificate

Question

I have a few self-signed certificates that I use, and I find it tedious comparing the entire hex value of the hash when accepting it in a new location. To be honest I usually just look at the first couple or the last couple digits. If it were in some kind of visual form like gravatars are in, I feel like I would more easily identify whether or not they are correct.

I should probably be copying the certificates across as files and installing them rather than manually checking the hash and then accepting them but it is just so much easier to simply accept them sometimes.

Probably if it's something a human can identify right away visually, then there's not enough entropy to be very confident in its identity. I am just wanting a better way than looking at the first couple digits to bridge a bit of the gap between what's convenient and what's truly secure.

Is there any merit to the idea of certificate viewing software showing a gravatar/identicon for the hash of an SSL certificate, to aid in identifying it?

A similar question was also raised here: [User-friendly TLS certificate validation](https://security.stackexchange.com/questions/87015/user-friendly-tls-certificate-validation) — WhiteWinterWolf, Jun 05 '15 at 08:15

StackzOfZtuff · Accepted Answer · 2015-06-01T06:58:33.093

5

Is there any merit to the idea of certificate viewing software showing a gravatar/identicon for the hash of an SSL certificate, to aid in identifying it?

Yes. At least with OpenSSH this has been done. I don't see why it wouldn't work with SSL as well. But I know of no (live) implementation. There was a thesis from 2004 that showed an implementation of this for Mozilla, but I don't think it was more than a proof of concept. (See "Further reading" section.)

OpenSSH calls these images "RandomArt", "SSH Fingerprint ASCII Visualisation", "Visual fingerprint", "Visual Host Key". They have been there since version 5.1 from 2008. But I've only ever seen these images when creating a new key. Not when actually using one with ssh. (And that's because it's off by default on all ssh clients I've come across. You need the -o VisualHostKey=yes option.)

Further reading

SU:What is randomart produced by ssh-keygen?
Sec:How secure is Visual host key, and how is SHA2 converted into that representation?
Hongxian Evelyn Tay, Carnegie Mellon University, 2004-05-03, CS Senior Honors Thesis: Visual Validation of SSL Certificates in the Mozilla Browser using Hash Images

edited Jun 01 '15 at 06:58

answered Jun 01 '15 at 06:36

StackzOfZtuff

17,783
1
50
86

Two more suggestions here: http://security.stackexchange.com/a/90610/61443 – Mike Ounsworth Jun 01 '15 at 15:17
1

Does someone already suggested to be implemented in a browser, beside the one cited? Some browser, like Chrome, could show it when users click "Advanced" on a SSL error. Maybe also show a button to permanently trust the certificate ( like Mozilla do ) when it repeats after some time. Of course it needs to be disabled when HSTS is used. – Gustavo Rodrigues Jun 11 '15 at 14:20
@GustavoRodrigues: No. I don't know any. – StackzOfZtuff Jun 11 '15 at 14:35
@GustavoRodrigues, that was basically what i was thinking could happen, or perhaps for plugins to be developed. – Nacht Jun 12 '15 at 01:35

Identicon for SSL certificate

1 Answers1