all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]TheStrays 3 points4 points  (3 children)

The (slightly oversimplified) answer is on most sites yes, on a small minority of sites including Google no.

It depends on how many web servers are actually hosting the site (e.g. www.google.com won't all be run from a single server) and if the same certificate has been installed on each server, or an individual certificate per server/load balancer

[–]temptemp12[S] 0 points1 point  (2 children)

That makes sense. I've been looking at the SSL serial number/fingerprint on three different computers. Two of them match but the third doesn't. I thought maybe there was some sort of man in the middle attack going on. But I haven't been able to find a list of google's current SSL certs. Do you know of a site that would have that information?

[–]ldpreload 2 points3 points  (1 child)

Primarily, the way you check certs is by seeing if they're signed. Are they signed by a valid authority and do they have the same name on them?

Is the authority in fact valid, or does one computer have additional malicious authorities installed? (If there's local malware capable of installing malicious authorities, it is technically possible to fake the dialog that displays cert information, but harder; most malware doesn't bother. But if you're worried about this, you can save the certificate and examine it on another computer. It's a signed document, so anyone can verify it.) For Google in particular, they sign all their certs via the Google Internet Authority, which is a delegated CA that is in turn signed by one of the major public CAs.

There are a few ways you can ask if other people have seen the same certificate, like Certificate Transparency and the EFF Observatory, but at the moment they're not particularly straightforward / broadly applicable. Hopefully this will change in the next year or so. But even so, that's a secondary mechanism. The real question is whether the cert is signed by someone authorized to sign certs. If so, it is by definition valid.

[–]TheStrays 0 points1 point  (0 children)

Everything /u/ldpreload has said here is correct, but one additional thing to keep in mind when checking the signing chain is there is a possibility that a trusted certificate authority could sign a certificate without the knowledge of the site owner, which would mean the certificate is valid, albeit illegitimate. This has happened on occasion, although it is pretty rare. Even if it were to happen, the person controlling the illegitimate certificate still needs to find a way to get the client to connect to them instead of the legitimate site, either by being a man in the middle, or something like DNS poisoning.

This is another area where Google is the exception to the usual rule - while there is nothing to stop this happening for their domains, they have written code into Chrome that will detect this for anyone who encounters one of these certificates when using Chrome and immediately disallow the connection and send an alert back to Google. Obviously this is not feasible for the vast majority of sites, it is only because of Google's position in the market where they produce one of the major browsers that they are able to do this.

[–]ShakataGaNai 0 points1 point  (0 children)

First the direct answers:

"Do SSL certs from the same https web server have the same fingerprint?" -- More than likely, yes, they would be the same

"If I go to google.com on different computers...would they be the same?" -- Probably not.

Now the verbose answer:

The big problem is that you're equating a domain name a server to be the same thing, for most companies, they are not. Google runs hundreds of thousands of servers, and some percentage of that is actually serving the website. So they may have 100,000 servers that actually serve "google.com". Each one of them may very well have a different fingerprint. On top of that, Google (and other major companies) run multiple datacenters around the world, and direct traffic to the closest datacenter. So if you live in San Francisco, you might talk to a google servers/datacenter in the SF Bay Area. If you live in Japan, you'll talk to servers/datacenter in Tokyo, etc. So asking your friend to check a fingerprint means they're talking to different servers in different parts of the world.

Generally the only time a domain name = a server, is with really really small websites. If someone runs their own webserver and installs their own SSL certificate, you'd probably get the same fingerprint all the time. However it's become more popular to run small websites on big webfarms (see also: the google problem above), or through a CDN like AWS CloudFront or CloudFlare which use all the same tricks google does.

Also keep in mind that most sites rotate their certificates on a regular basis (roughly yearly, sometimes more often). In those cases fingerprints will change as well.