How To Achieve Indelible Fingerprints | AvianQuests

AvianQuests

Photography.Travel.Technology Unbound!

Featured

How To Achieve Indelible Fingerprints

Sunday, August 22, 2021
 
 
 
 
 
AvianQuests.com SNI Fingerprints 2021

 
in·​del·​i·​ble  - that cannot be removed, lasting.

 
Hey, welcome to the blog.
 
I got to successfully assemble and futureproof my computer PC desktop last month.
 
I started a week ago by installing first my video driver on August 13, 2021.
 
It was only at this date that I finally attained a "hardened security status", which I will share in a separate blog post the details in the future.
 
In a nutshell, I was able to achieve my aim/objective which was to get all my connections to the world wide web totally encrypted.

What? That's right.
 
Indelible in security speak is intended for a totally ENCRYPTED Server Name Indication (ESNI) that is, what I dub my version of a  "secure web connection heaven."
 
By the way, there are four (4) tools/things that you will need to use/tweak in order to achieve FULL ESNI as follows:
 
I.    GRC Fingerprints
 
II.   Cloudflare
 
III. Firefox ESR

IV.    Bitdefender


I.  "FINGERPRINTS"

I always validate my SNI using Steve Gibson's cool site (multi-millionfold thanks and kudos!) and in his home page under Services Tab is a drop down selection called,
HTTPS Fingerprints.

Here's the link below:
 

Fingerprints

So, with my registrar/domain which is Cloudflare, I tested my site https://www.avianquests.com in Steve Gibson's Fingerprints.

AvianQuests SNI Fingerprints 2021
 
At this phase, take note first of your Security Certificate's Authentic Fingerprint.
 
 
 II.     Cloudflare

To check if your current browser is already ESNI ready, click on the link below for that procedure.
 

Browsing Experience Security Check

The four (4) green checkmarks MUST be generated above to indicate that your browser is ESNI-capable and ready as evidenced by the following :
 
Check Mark 1 Secure DNS

 
DNSSECCheck Mark 2
  
 
Check Mark 3 TLS 1.3

 
Check Mark 4
Encrypted SNI
 
 
 
Again, it is very, very important that you are able to generate the abovementioned four (4) criteria when you run the test.
 
Question:  If I pass all four tests, am I secure no matter which site I browse?

Caveat: Not necessarily. Even if you pass all four tests, if the domain/web site URL that you are visiting must also need to support DNSSEC, TLS 1.3, and Encrypted SNI, then you are still potentially vulnerable, even if your browser supports these technologies.
To further double check that, you have to click to another link below to be positively sure:


 
The Cloudflare link above will display this result/example below:
 
Encrypted ESNI Output

Since I am using Firefox ESR, which generated the report above, notice, it says, "sni=encrypted."

(Also, for security reasons, I erased the values of my IP address, TS and f1 details above.) 

For example purposes, and to further check  that it is SNI encrypted, type the following in your browser prompt , https://www.google.com and hit enter, and it will result to the following.

"Site information for www.google.com  
Connection secure."
 
 Google Secured Connection

By clicking on the right arrow of Connection secure in the abovementioned example, it will bring up another prompt below as follows:
 
You are securely connected to this site.

You are securely connected to this site.  
 
Again, by clicking on More Information tab of the abovementioned screenshot will bring up the certificate information below as follows:

 
Fingerprint of Google.com


This is the screenshot of the Google "Fingerprint" of security certificate generated by my Firefox ESR browser.
 
 
GRC.com Fingerprint of Google.com

 
On the SHA-1, you can compare that with Steve Gibson's Fingerprint analyzer to be the same/identical.
 
If not the same fingerprint values, your browser/connection to the internet is NOT ENCRYPTED, and thus, you must now remediate it and follow the steps that I did to attain a FULL ENCRYPTION status.

So, today as I write this blog post, in my case, it is around seven - eight days depending on your location, and running a browser of choice, which I am running on total ESNI Encryption without encountering any security problems in my web browsing experience.

So, last but not the least, is that, we've reached the third and final part of the ESNI Fingerprinting enablement/walk through.
 
 

III.     FIREFOX ESR version 78.13.0

 
In my particular experience for my desktop PC, which is ESNI-compliant, which again, to fully ensure that I am totally ESNI-compliant, and whenever I view my domain/blog site's fingerprint and/or other web sites with an indelible ESNI signature, moving forward, I now use only FireFox ESR browser.

I tried other browsers, however, they do not generate an encrypted SNI.
 
Here's the link/address:
 
 
Firefox Browser ESR
 
 
Once Firefox ESR gets successfully installed in your PC/laptop, a little tweaking of the browser default must be done.
 
Again for example purposes, 
type https://www.google.com
 
Browser Settings

 
Click on the three horizontal stripes on the right most portion of the Firefox ESR browser and a drop down menu will be presented and then chose, and  Options.
 
General Tab
  
Under the General Tab, scroll down to the bottom of the page.


Network Settings

On the Network Settings Option Click on Settings located at the right side.

Connections Settings

 
In the Connection Settings, make sure No Proxy option is chosen (ticked).
 
Enable DNS over HTTPS box which is again, ticked (check marked)  then click on OK.

Also, the most important in Firefox ESR is tweaking the following:


How to enable ESNI in Firefox

Firefox Configuration

     1.    Open about:config
 
     2.    Set network.security.esni.enabled to true
 
     3.    Run in Firefox ESR

 
 
IV.    BITDEFENDER

Last but not the least, if you use Bitdefender as firewall, you have to make some exception entries in the firewall rule to fully allow ESNI.

Run Bitdefender as an Administrator.
 
Advanced Threat Defense


On your Bitdefender Protection Features choose Protection and click on the Open on the Advance Threat Defense choice.

Advance Threat Defense Settings


After which you will be prompted to the abovementioned screen, then click on  Settings.
 
Bitdefender Manage Exceptions

 On the third row, click on Manage Exceptions.

Manage Exceptions


On the Manage Exceptions screen above, click on Add exceptions.


Type the URL of the site
 

On the blank row, I typed Google.com as an example. Then hit the Save, button.

And below are managed exceptions which Bitdefender's Advance Threat Defense will bypass/allow thus, one will get the unadulterated encrypted SNI from the domain. 

Really, no rocket science here, very straightforward.



Bitdefender Manage Exceptions


Once you have set your exceptions, you're good to go.

In summary, here are the major takeaways/benefits running your browser in FULL ESNI mode:
 
- Elimination of MITM (Man-In-the-Middle);
- Elimination of ransomware vulnerability;
- Peace of Mind;
- Adherence to the best security practices; and
- Et cetera.
 
And of course, it's totally "free" just invest your time and effort to make it happen. 
 
It's a big thing for me to be able to get back to this "state of security connectivity" online and have peace of mind knowing that your internet connection is safe/secure.

Other tests, (If you like to do, it's quite fun actually.)


CHECK DNS SPOOFABILITY
   
    https://www.grc.com/dns/dns.htm
 
 


References: 

 
 
 
 
 
 
 
 
 
 
 
If you like this blog, 


  

Till next blog post. 

Keep safe, and keep blogging.

Do check me out/follow me at the social media channels below:
 
Instagram: avianquest
 
Twitter: avianquest
 
Facebook:  avianquest

Blog:  avianquests.com
 




   





   

            







































 

 
 



 
 
 
 
Labels:   ,
Post Comment

Post a Comment

Subscribe to: Post Comments (Atom)