Hey Extrahop team,
While majority of TLS sessions are established with using a public key certificate that can be verified by the other party by checking the chain of trust to an already trusted higher level cert, some are not. They typically use self-signed certificates or maybe the cert was expired or the CN doesn’t match, but the other party may agree to proceed with establishing the session anyway. Therefore, such a connection satisfies the requirement of confidentiality as it is encrypted, it is not authenticated on the TLS level, as it cannot be proven that the public key certificate didn’t pass the verification and could’ve been supplied by an adversary performing a MITM attack.
Is there a way to determine such successfully established sessions over non trusted public key certificates and distinguish them from verified public key certificates TLS sessions?