I have three questions related to signatures:
Q1. I went to Chrome browser official website using Google Chrome web browser and Mozilla Firefox web browser - there SHA1 fingerprint values were different in Firefox and different for Chrome. How can that be? (I have provided screen-grabs for each below)
Q2. The Chrome certificate only shows SHA1 fingerprint. But how did Mozilla Firefox come up with SHA256 fingerprint? Did Firefox use its own tool to convert SHA1 to SHA256?
Q3. I have come across certain websites in which the expiry date of certificates have passed, but the green padlock symbol is present. Should we refrain from entering username on such sites until the expiry date is extended?
Q1. Google uses many certificates and CDNs at the same time. Your basically connecting to different servers. If you check the serial number of the cert you should see that the certs are different which is why the fingerprint is different.
Q2. Correct the browser calculates the fingerprint.
You can do the same with a tools like this
View the PEM in firefox, copy and paste
The digital signature is calculated by the certificate owner and is included in the certificate, not the fingerprint. The digital signature is a hash value (of the certificate) that has been encrypted with the server owners private key. Which provides authentication, non repudiation, and integrity.
Q3. The answer is. It depends. If you really really care about the content then maybe you shouldn’t use it. If it was my bank I would pause and contact the bank. But to be honest if you really really care about the content then you need to be using more than SSL and certificate authentication through roots of trust on a browser. Like with a bank you have 2 factor auth too to protect against MITM attacks. In the real world it usually means an admin simply forgot to update the cert. You could see this as a sign of bad security. It still gives you dated authentication, non repudiation, and integrity.