QC on fingerprint before even visiting admin page

Does not match, see attached. Is this mitm attack?

1 Like

I’ve never actually seen one!

Did you try looking at the certificate in the browser?

All the browsers I have tried don’t give the option.

It is there, you just have to navigate through the warnings without enabling the site.

Here is what I get when I load the site:

Looks like MiaB is giving the SHA-256 hash and grc is giving the SHA-1 hash.

I just noticed the SHA-256 hash was cutoff in the screen shot:


Hmm, interesting… I was checking the incorrect algo? Lemme double check and I will get back with you.

Edited for brevity (my correspondence with support)


I would like to verify this my self, what web browser do you use?

The ISP probably will not help on this sort of issue since it would be something outside their network.

You could also connect to the server with SSH configured as a SOCKS proxy including the DNS server, this way there really isn’t anything between your computer and the server.

However, there doesn’t seem to be an issue in this case.

You can achieve similar results in Brave. The browser will first display a privacy warning page. In the address bar, click the ‘Not Secure’ button and then click ‘Certificate (Invalid)’.

That will show something similar to what I posted.

I managed to find the print in brave.

Totally not matching
sha256 in my web, and the grc checker
but not the initial setup…

This is what I see in Brave:

SHA-256 Fingerprint 7D 94 44 9F 16 61 F2 CD 6F B2 40 1C 37 63 89 93
F3 EC 82 D8 F3 B1 61 B1 96 3F 6D E0 FE 14 E3 97

SHA-1 Fingerprint AC 16 AD 2A 63 3C 1C 69 F0 AD B3 D0 C4 76 B5 85
F6 8C F0 D3

Well, maybe from your end, but the pick in this post is attached a pic that something is not right between the server and me…

any recommendations for good socks sever? I like netgates stuff…

The hash you are showing there is the SHA-1 hash. Is that by chance Edge? Nevermind, I see the Brave logo, lol.

The SOCKS server would be your MiaB server. You can use sshd as a SOCKS server.

Try the drop-down box or other options to see if it displays the SHA-256 hash.

Ahh, good stuff. I am at the butt end of this tonight. I need to do something else for awhile.

Will check in later.

Are you able to click the “Signature hash alg…”? Some times that will display the results in the box.

I think you’re better off just finding a browser that will show you an SHA-256 fingerprint, so you can verify against MiaB. I don’t know which one that is because there seems to be something different with Windows versions of programs.

It’s there It’s at the top of the dialog box s h a 256 value

The sha256 is just the hash algorithm. The hash will look completely different, like the one provided by the MiaB install instructions.

Did you try clicking on it and nothing showed up in the box below?

Uhmm, I did not read throgh this entire thread so if I am stating what has already been determined, my apologies.

The fingerprint is for the self-signed certificate created when MiaB is set up. And you are comparing it to the actual certificate issued for the domain.

Of course they are not going to match. @xyzsco