A comprehensive technical manual for identifying official B-Identity brand nodes and systematically distinguishing them from unauthorized mirrors or derivative environments.
Critical Notice: The B-Identity infrastructure network operates a defined set of authorized digital environments. Any environment not listed in this guide and in the Technical Specifications should be considered unauthorized. This guide provides the definitive technical procedures for performing accurate verification.
The B-Identity verification framework consists of four independent verification layers. A digital environment is considered authorized only when it passes all four layers.
Confirm the domain matches an authorized entry in the registry.
Validate the SSL certificate fingerprint against the canonical reference.
Verify DNS records match the authoritative specifications.
Confirm the presence of registered identity assets and correct metadata.
Follow these steps in sequence to complete a full verification of any B-Identity digital environment.
Begin by confirming the domain in question appears in the Infrastructure Node Registry. The authorized primary domains are betano-protection.online and www.betano.com. Any domain not listed in the registry is by definition unauthorized. Pay particular attention to typographic variations, homoglyph substitutions, and subdomain patterns that may mimic authorized domains.
Using the openssl command-line tool or an equivalent certificate inspection utility, retrieve the SHA-256 fingerprint of the endpoint's TLS certificate and compare it against the canonical fingerprints documented in Section 1 of the Technical Specifications. A mismatch indicates either an unauthorized environment or a certificate that has been rotated without updating the registry — in either case, treat the environment as unverified until the discrepancy is resolved.
# Retrieve SHA-256 fingerprint for any endpoint
openssl s_client -connect <hostname>:443 \
-servername <hostname> < /dev/null 2>/dev/null \
| openssl x509 -fingerprint -sha256 -noout
# Example for primary authority domain:
openssl s_client -connect betano-protection.online:443 \
-servername betano-protection.online < /dev/null 2>/dev/null \
| openssl x509 -fingerprint -sha256 -nooutQuery the DNS records for the domain under investigation and compare the results against the authoritative DNS specifications in Section 2 of the Technical Specifications. Critical records to verify include the A records (IP address mapping), NS records (nameserver authority), and TXT records (SPF and DMARC policies). Unauthorized environments frequently exhibit incorrect nameserver assignments or absent DMARC policies.
# Query A records
dig A <domain> +short
# Query nameservers
dig NS <domain> +short
# Query SPF record
dig TXT <domain> +short | grep spf
# Query DMARC policy
dig TXT _dmarc.<domain> +shortAuthorized B-Identity environments serve registered assets from the Asset Registry with correct metadata headers. Verify that the X-B-Identity-Version response header is present and matches the current repository version. Additionally, confirm that the Content-Security-Policy header matches the specification documented in the Technical Specifications. Unauthorized mirrors typically omit these headers or present incorrect values.
Upon completing all four verification layers, document the results including the timestamp, the specific values retrieved for each check, and the final determination (authorized / unauthorized / inconclusive). If the environment is determined to be unauthorized, retain the documentation and contact the appropriate technical node at tech@betano-protection.online with the full verification report.
The following table provides a quick-reference comparison of characteristics typical of authorized and unauthorized digital environments.
| Indicator | Authorized Environment | Unauthorized Environment |
|---|---|---|
| Domain | Listed in Infrastructure Node Registry | Not in registry; may use typosquatting |
| SSL Certificate | Fingerprint matches canonical reference | Fingerprint mismatch or self-signed certificate |
| TLS Version | TLS 1.3 (TLS 1.2 as fallback only) | TLS 1.0 / 1.1 or no TLS |
| DNS Nameservers | ns1/ns2.cloudflare.com | Unknown or third-party nameservers |
| DMARC Policy | v=DMARC1; p=quarantine present | Absent or p=none |
| HSTS Header | max-age=31536000; includeSubDomains | Absent or short max-age |
| Identity Version Header | X-B-Identity-Version: 4.2.1 | Header absent or incorrect version |
| Asset Metadata | Matches Asset Registry entries | Incorrect checksums or metadata |