Networking, Security, Linux


Verify TLS Servers with Random Art

I've always loved the RandomArt feature in SSH that is used to display a visual representation of a peer's public key. I thought it would be great to extend this to TLS.

Rohan MolloyRohan Molloy

SSH Public Key infrastructure does not typically use certificates or certificate authorities, it pins the public keys directly, with a trust model based on TOFO (trust-on-first-use). When you first connect to an SSH server, it asks you to trust the host key and displays a visual representation of the key, like this

SSH random art for server

The public key cryptography SSH uses is very similar to what's used with TLS/SSL so it should be straightforward to generate the random art for an HTTPS server. The main difference with TLS is that certificates are verified rather than keys; certificates are generated from keys. So if a website you trust starts showing a certificate error, it will be useful to know whether or not the underlying key has changed.

My script is pretty simple and has the following steps:

  1. openssl s_client connects to the server and verifies it against a CA bundle (this is optional). The server certificate is printed
  2. openssl x509 extracts the public key from the certificate
  3. ssh-keygen -vi converts the public key from the standard TLS format -m PKCS8 to the SSH format
  4. ssh-keygen -vl prints the random art

Trying it out

Trying my script out

Final notes

The output is based on the public/private key pair used to generate the certificate signing request, not the certificate itself. So two certificates will give the same output even if they have a totally different common name and are signed by a completely different certificate authority.

This script could be used to check if a server is still secured with the same public key after its certificate has changed, or to detect man-in-the-middle attacks


Rohan Molloy

View Comments