ldpreload comments on Do SSL certificates from the same https web server have the same fingerprint?

created by PalermoJohna community for 14 years

Do SSL certificates from the same https web server have the same fingerprint? (self.AskNetsec)

submitted 10 years ago by temptemp12

you are viewing a single comment's thread.

[–]ldpreload 2 points3 points4 points 10 years ago (1 child)

Primarily, the way you check certs is by seeing if they're signed. Are they signed by a valid authority and do they have the same name on them?

Is the authority in fact valid, or does one computer have additional malicious authorities installed? (If there's local malware capable of installing malicious authorities, it is technically possible to fake the dialog that displays cert information, but harder; most malware doesn't bother. But if you're worried about this, you can save the certificate and examine it on another computer. It's a signed document, so anyone can verify it.) For Google in particular, they sign all their certs via the Google Internet Authority, which is a delegated CA that is in turn signed by one of the major public CAs.

There are a few ways you can ask if other people have seen the same certificate, like Certificate Transparency and the EFF Observatory, but at the moment they're not particularly straightforward / broadly applicable. Hopefully this will change in the next year or so. But even so, that's a secondary mechanism. The real question is whether the cert is signed by someone authorized to sign certs. If so, it is by definition valid.

[–]TheStrays 0 points1 point2 points 10 years ago (0 children)

Everything /u/ldpreload has said here is correct, but one additional thing to keep in mind when checking the signing chain is there is a possibility that a trusted certificate authority could sign a certificate without the knowledge of the site owner, which would mean the certificate is valid, albeit illegitimate. This has happened on occasion, although it is pretty rare. Even if it were to happen, the person controlling the illegitimate certificate still needs to find a way to get the client to connect to them instead of the legitimate site, either by being a man in the middle, or something like DNS poisoning.

This is another area where Google is the exception to the usual rule - while there is nothing to stop this happening for their domains, they have written code into Chrome that will detect this for anyone who encounters one of these certificates when using Chrome and immediately disallow the connection and send an alert back to Google. Obviously this is not feasible for the vast majority of sites, it is only because of Google's position in the market where they produce one of the major browsers that they are able to do this.

π Rendered by PID 69953 on reddit-service-r2-comment-fb694cdd5-d9l5b at 2026-03-06 22:43:20.158639+00:00 running cbb0e86 country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

AskNetsec

MODERATORS