How can I verify a certificate's fingerprints?
I use gmail with mutt over imap. imaps://imap.gmail.com:993
Today when I launched mutt, it prompted me to reject or accept a certificate. Screenshot:
q:Exit ?:Help
This certificate belongs to:
Google Internet Authority
Google Inc
US
This certificate was issued by:
Equifax
Equifax Secure Certificate Authority
US
This certificate is valid
from Wed, 12 Dec 2012 15:58:50 UTC
to Tue, 31 Dec 2013 15:58:50 UTC
SHA1 Fingerprint: 5967 6E6B DD9F 4D9D DAE6 A15D 9DBC DF24 357C F776
MD5 Fingerprint: 5799 FA8E 83BC E022 0721 988A 0172 7ECB
-- Mutt: SSL Certificate check (certificate 1 of 2 in chain)
(r)eject, accept (o)nce, (a)ccept always
How can I verify that this really is the right certificate? Should I be making sure the fingerprints match?
you can verify the cert, but only by comparing it to a known-legit copy. see here for one example: http://kamivaniea.com/?p=507
the issue here is that since you are attempting to validate the cert on gmail.com:443, and that's where you got this cert in the first place, you don't have a known good cert to compare to.
Here is some more info on cert fingerprinting: http://en.wikipedia.org/wiki/Public_key_fingerprint
It's been my experience that when you allow a cert, the best bet is to make sure you are access the correct server address. then once its imported, if you ever accidentally fat finger the URL, you will be advised that the cert presented does not match the cached version, and that your communication may not be secure.