How can I verify a certificate's fingerprints?

8

1

I use gmail with mutt over imap. imaps://imap.gmail.com:993

Today when I launched mutt, it prompted me to reject or accept a certificate. Screenshot:

q:Exit  ?:Help


This certificate belongs to:
   Google Internet Authority
   Google Inc

       US

This certificate was issued by:

   Equifax
   Equifax Secure Certificate Authority
       US

This certificate is valid
   from Wed, 12 Dec 2012 15:58:50 UTC
     to Tue, 31 Dec 2013 15:58:50 UTC
SHA1 Fingerprint: 5967 6E6B DD9F 4D9D DAE6 A15D 9DBC DF24 357C F776
MD5 Fingerprint: 5799 FA8E 83BC E022 0721 988A 0172 7ECB


-- Mutt: SSL Certificate check (certificate 1 of 2 in chain)
(r)eject, accept (o)nce, (a)ccept always

How can I verify that this really is the right certificate? Should I be making sure the fingerprints match?

djeikyb

Posted 2013-04-30T18:08:21.680

Reputation: 891

Answers

3

you can verify the cert, but only by comparing it to a known-legit copy. see here for one example: http://kamivaniea.com/?p=507

the issue here is that since you are attempting to validate the cert on gmail.com:443, and that's where you got this cert in the first place, you don't have a known good cert to compare to.

Here is some more info on cert fingerprinting: http://en.wikipedia.org/wiki/Public_key_fingerprint

It's been my experience that when you allow a cert, the best bet is to make sure you are access the correct server address. then once its imported, if you ever accidentally fat finger the URL, you will be advised that the cert presented does not match the cached version, and that your communication may not be secure.

Frank Thomas

Posted 2013-04-30T18:08:21.680

Reputation: 29 039

1So, ideally, Google would publish the fingerprints for their various fingerprints. I feel like if I hit accept, I'm blindly trusting this certificate, since I don't know where to access a known legit copy. – djeikyb – 2013-04-30T20:10:39.280

Also, since the cert claims to be issued by Equifax, is there a way to verify that instead of the fingerprints for gmail's imap? – djeikyb – 2013-04-30T22:41:02.677

Asked: 2013-04-30T18:08:21.680

Viewed: 4 218 times

Active: 2013-04-30T18:22:12.107