Mailfence launches new blog: new SSL certificate

Mailfence launches new blog: new SSL certificate

This is a follow up of last blog post Mailfence launches new blog, we are now using a new SSL certificate solely for this blog which can be checked by following the guidelines below.

1

  • For Chrome:
    1. Click on the lock button in front of the URL.
    2. Go to Details and click on View Certificate.
  • For Firefox:
    1. Click on the lock button in front of the URL and click on More Information.
    2. Go to Security and click on View Certificate.
  • For Safari:
    1. Click on the lock button in front of the URL.
    2. Select Show Certificate, in Details scroll to the bottom of the page

Note: make sure you are looking at the certificate for blog.mailfence.com

Mailfence owns this blog

Under sound crypto practices, we have digitally signed our blog.mailfence.com certificate with our Mailfence SSL certificate so to claim its legitimate affiliation with Mailfence and allow our users to further verify its validity by using the openssl tool.

Guidelines for verifying the digital signature:

  1. Setting up the environment
    getcert() {openssl s_client -servername $1 -connect ${1}:443 2>/dev/null </dev/null | openssl x509}
  2. Getting mailfence.com SSL certificate
    OLDCERT=old.crt
    getcert mailfence.com > $OLDCERT
  3. Getting blog.mailfence.com SSL certificate
    NEWCERT=new.crt
    getcert blog.mailfence.com > $NEWCERT
  4. Extracting public key from mailfence.com SSL certificate
    openssl x509 -in ${OLDCERT} -pubkey -noout > ${OLDCERT}.pub
  5. Obtaining the digital signature that needs to be verified
    curl -s -o ${NEWCERT}.sha512 https://blog.mailfence.com/wp-content/uploads/2016/11/blog_mailfence_com_20161118.sha512
  6. Verifying the signature
    openssl dgst -sha512 -verify ${OLDCERT}.pub -signature ${NEWCERT}.sha512 ${NEWCERT}
  7. You should now see a message “Verified OK

Note: This is a one-time signature and will remain valid until the expiration date of any of the two site’s SSL certificates (in this case: blog.mailfence.com, November 17 – 2017). Thus, if you would still like to verify the validity of this digital signature after that date, then you should export both of the current mailfence.com and blog.mailfence.com certificates to your local machine, and use them instead in step 2, 3 and 4.

Now you can be sure of:
  • We (Mailfence) indeed are the real owner of this blog.
  • Any third-party claim over the ownership of this blog is indeed false.
  • If any adversary (cybercriminal, third-party, etc) launches an advanced MitM attack on our blog (by using similar domain with a rogue/compromised SSL certificate to counterfeit our identity, etc…) then you should not trust that website.

This step is mostly expected to be done by advanced users. However other users can also follow above mentioned steps simply by copying and pasting the given commands in their Linux terminal.

At Mailfence – a secure and private email service, we believe in following good security practices, to contribute in providing you a secure and private email solution.

Get your secure email!

Follow us on twitter/reddit and keep yourself posted at all times.

Mailfence Team


Spread the word !

M Salman Nadeem

Information Security Analyst - Security Team | Mailfence

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *