0

1I have an app installed on my android device that shows me if the SHA256 fingerprint has been changed. It often shows that it has been altered when I run it for YouTube.com and it once showed for Instagram.com. I tried using a VPN and it didn't show afterwards.

The app basically says that it detects the SSL interception of web traffic which will decrypt an encrypted session. The test is accomplished by comparing the HTTPS certificate fingerprint of the website on your device vs the fingerprint shown on an external server. I'm curious if it is really a concern as I do a lot of private video calls on Instagram. Are those getting recorded or anything without my knowledge?

PS: I do not have any shady app on my device.

Krwl8
  • 3
  • 4

1 Answers1

0

Check the actual certificate the sites return. Certificates will expire after a while, meaning they get replaced with new versions.

Besides that, bigger sites with multiple datacenters, such as YouTube (Google) and Instagram (Facebook), might even use different certificates for different regions. This would explain why it doesn't show up while using a VPN. Also because of IP routing, special server configurations, ... you might end up connecting to different servers/regions (with different certificates) from day to day or so.

Assuming that the certificate is properly signed, valid and not revoked, you should be fine, even if the fingerprint changes. For malicious people to perform a man-in-the-middle attack with a valid SSL, they'd either need to have a valid certificate themselves (which would get revoked), access to the site's servers (which is a lost cause) or add a malicious root certificate to your device (which is a whole other problem).

The test is accomplished by comparing the HTTPS certificate fingerprint of the website on your device vs the fingerprint shown on an external server.

Mind that that external server might also have a different/outdated fingerprint compared to you, for any of the reasons above or others.

Kelvin Schoofs
  • 8,323
  • 1
  • 12
  • 31
  • Thank you. I checked it again and what happens is that now whenever I connect to the VPN it doesn't show any change in certificate right away. after a while it starts showing in VPN too. Is it the server thing you are talking about or an actual Mitm? – Krwl8 Aug 02 '21 at 04:02
  • Another thing; I checked and the fingerprint it shows is actually different from the site's fingerprint – Krwl8 Aug 02 '21 at 04:09
  • edit: not everytime, the fingerprint does remain same often. – Krwl8 Aug 02 '21 at 04:33
  • As long as your trusted browser (e.g. Chrome) doesn't complain about the certificate, it's fine. You can see [here](https://transparencyreport.google.com/https/certificates?cert_search=include_subdomains:true;domain:googlevideo.com;issuer_uid:-3887704328530850609&lu=cert_search) for example that Google's `GTS CA 1C` issuer issues several certificates a week. Like I said, the fingerprint changing _can_ be an indicator for MitM, but is most likely a false negative. – Kelvin Schoofs Aug 02 '21 at 15:17
  • Aight mate. Thanks a lot – Krwl8 Aug 02 '21 at 17:39