A secure website (HTTPS) justifies its identity with your browser by sending a certificate validated by a recognized certification authority.
Interception techniques, to be able to work, dynamically forge false certificates (a bit like a fake identity card).
The method we propose, verifies that the certificate you receive is the one issued by the server. The operation is as follows (see diagram below):
- We retrieve the certificate supposed to be the one of the server (1)
- We ask an external verification server* (2) to retrieve (3) and send us the same certificate (4)
- We compare the two certificates (5). If they differ, your connection is tapped.
* this server is by default « checkmyhttps.net ». You can install your own verification server (see GitHub).
We have developed several clients that use this method (web browser extensions, mobile applications, test web pages). These clients interact with the verification server via an API (Application Program Interface) as follows :