Is there a way to distinguish between verified TLS and unverified TLS?

Hey Extrahop team,

While majority of TLS sessions are established with using a public key certificate that can be verified by the other party by checking the chain of trust to an already trusted higher level cert, some are not. They typically use self-signed certificates or maybe the cert was expired or the CN doesn’t match, but the other party may agree to proceed with establishing the session anyway. Therefore, such a connection satisfies the requirement of confidentiality as it is encrypted, it is not authenticated on the TLS level, as it cannot be proven that the public key certificate didn’t pass the verification and could’ve been supplied by an adversary performing a MITM attack.

Is there a way to determine such successfully established sessions over non trusted public key certificates and distinguish them from verified public key certificates TLS sessions?

Thank you!

Hi @gespenstern,

The answer is yes and no. The triggers API exposes some relevant properties for the certificate such as notAfter and isSelfSigned, which would allow you to detect expired and self signed certificates. However, ExtraHop does not validate the certificate chain. Doing so would require ExtraHop to know all your trusted certificate authorities. You could potentially export the certificate hash and ensure that it matches a known, trusted certificate. I hope this helps!

Hey @gespenstern,

Can you give us a little more detail about the scenario? For example, does this scenario involve a browser where the user is manually bypassing certificate warnings? If so, we should be able to catch the SSL alerts that the browser sends when the cert isn’t trusted, and then be on the watch for subsequent connections with the same cert. I know that Chrome, for example, will send a “certificate_unknown” alert for expired certs. Let me know if a trigger along those lines would be useful.

As @webslinger said, you grab the cert’s SHA1 hash through cert.fingerprint and this can be used to look up the cert in Certificate Transparency logs like https://crt.sh