Feature #208


Calculate SSL certificate fingerprints

Added by bill bunter over 6 years ago. Updated over 5 years ago.

Start date:
Due date:
% Done:


Estimated time:


Would like to see certificate fingerprint on the certificate dialogue.
Android 4.4.2
WebKit 537.36

Actions #1

Updated by Soren Stoutner over 6 years ago

  • Assignee changed from bill bunter to Soren Stoutner
  • Priority changed from 2 to 3.x

I agree that it would be nice to display the certificate fingerprint. Amazingly to me, Google does not make it easy to get access to it.

It should be possible to calculate the certificate myself, but it looks like this would require having access to the entire certificate in DER form.

My guess is that it won't be possible to get that level of access until after `WebView` is forked to produce Privacy WebView. Accordingly, I will revisit this during the 4.x series.

Actions #2

Updated by Soren Stoutner over 6 years ago

  • Subject changed from website certificate info to Calculate SSL certificate fingerprints
Actions #3

Updated by bill bunter over 6 years ago

The fingerprint is the only sure way to verify the cert is not a fake one as part of a mitm attack, you can verify it by going to
That server has tier 3 internet access and cannot be mitm attacked so when it retrieves the fingerprint you know it is the genuine one. If we see the same fingerprint we know we should pin that cert in Domain pinning.
BTW, I have been using Privacy Browser for the past few months as my default browser I like it a lot you did some nice work on it,thankyou.
I am a member at Browser technology and security/privacy issues are some of the main topics of conversation in the forums, we are mostly IT specialists, developers and privacy advocates I hope you might consider joining

Actions #4

Updated by Soren Stoutner over 6 years ago

  • Priority changed from 3.x to 2

1. I'm glad you enjoy using Privacy Browser. And I appreciate the suggestions you have made for improving it.

2. When I started working on the SSL certificate pinning feature, my original intention was to use the certificate fingerprints to check for matches. I was surprised that Android does not make that easy to do. Digging a bit more into the documentation, it looks like if I can get a handle on the certificate in either `Certificate` or `X509Certificate` form I can use either `getEncoded()` or `getTBSCertificate()`, respectively, to access the DER encoded certificate, and from there calculate the SHA-1 hash. `WebView` does not expose either a `Certificate` or an `X509Certificate`, and it does not appear possible to convert `SslCertificate` to either of these. But it does look like it is possible to retrieve an `X509Certificate` directly from the web server if one is willing to put forth a bit of work, which is easier than I had initially expected. I will dig into this deeper during the second half of the 2.x cycle.

3. Having a tier 3 internet connection does not make impervious to MITM attacks. For example, to connect to another machine on the internet and retrieve the SSL certificate, most packets from will need to transit through one of the 6 tier 1 providers (Level 3 Communications, Telia Carrier, NTT, Cogent, GTT, and Tata Communications).

It is likely that the NSA has access to most, if not all, tier 1 providers, either with the companies assistance or through tapping of underwater fiber cables. Other large government intelligence agencies have similar programs.

As another example, most of the web servers that is connecting to in order to retrieve their SSL certificates are located in data centers. Typically there are only a few routers that control all traffic into and out of the data centers. If those routers have been compromised, then whoever has illicit access to them can perform a MITM attack on any data passing to the servers in that data center.

4. Thanks for the tip about I have posted a thread requesting feedback and suggestions.

Actions #5

Updated by Soren Stoutner over 5 years ago

  • Priority changed from 2 to 4.x

Also available in: Atom PDF