Browser Root CA & Fingerprint Checks

TL;DR

This guide explains how to check which countries a browser trusts via its root Certificate Authorities (CAs), and how to verify the fingerprint of certificates used by websites. This helps ensure your connection is secure and hasn’t been tampered with.

Checking Root CA Accepted Countries

1. Understand Root CAs: Browsers come pre-loaded with a list of trusted root CAs. These act like digital IDs for websites. If a website’s certificate is signed by a trusted root CA, your browser considers it safe (potentially).
2. Using the Browser’s Certificate Viewer: Most browsers have a built-in tool to view certificates.
   • Chrome/Edge: Click the padlock icon in the address bar → ‘Connection is secure’ → ‘Certificate is valid’. Then go to the ‘Details’ tab.
   • Firefox: Click the padlock icon → ‘Connection Secure’ → ‘More Information’ → ‘View Certificate’. Then go to the ‘Details’ tab.
3. Finding Authority Information Access (AIA): In the certificate details, look for a section called ‘Authority Information Access’. This often contains URLs pointing to where you can download more information about the CA.
4. Visiting the AIA URL: Click on one of the AIA URLs. This will usually take you to the CA’s website.
5. Checking Trusted Countries/Regions: On the CA’s website, look for a section detailing which countries they issue certificates to. This information isn’t always easy to find; search for terms like ‘eligible countries’, ‘certificate policy’, or ‘trust anchor’. Some CAs publish this in a Certificate Policy document (CP).
6. Example: Let’s Encrypt For example, Let’s Encrypt generally issues certificates globally. You can confirm this on their website here.

Checking Certificate Fingerprints

A certificate fingerprint is a unique ‘hash’ of the certificate. It’s like a digital summary. If the certificate changes, the fingerprint will change too. This helps verify that you are connecting to the correct server.

1. Obtain the Certificate: Use your browser’s certificate viewer (as described above) to access the website’s certificate.
2. Find the Fingerprint: In the ‘Details’ tab of the certificate, look for a section called ‘Fingerprint’. It will usually be displayed in multiple formats (SHA1, SHA256). The SHA256 fingerprint is generally preferred as it’s more secure.

   Example SHA256 Fingerprint: 

3. Verify the Fingerprint: Compare the fingerprint shown in your browser to a known-good value. Where can you get this ‘known-good’ value?
   • Website Documentation: Some websites publish their certificate fingerprints on their documentation pages or security policies.
   • Security Headers: Check for HTTP Security Headers like Certificate Transparency (CT) which may include the fingerprint. You can use online tools to inspect headers, such as SecurityHeaders.io.
   • Command Line Tools (OpenSSL): If you have access to the server, you can extract the fingerprint directly using OpenSSL.

     openssl x509 -noout -fingerprint -sha256 -in certificate.pem

4. If Fingerprints Don’t Match: If the fingerprint doesn’t match, do not proceed! This could indicate a man-in-the-middle attack or that you are connecting to the wrong server.

Additional Notes

• Certificate Transparency (CT): CT logs help detect and prevent misissued certificates. Browsers increasingly require CT for trusted connections.
• Regular Updates: Keep your browser updated to ensure you have the latest root CA list and security features.
• cyber security best practice: Always be cautious about websites asking for sensitive information, even if they appear secure.