It says:
Quote
But IF this SSL page was intercepted, its certificate fingerprint will HAVE TO BE DIFFERENT since authentic SSL certificates are impossible to perfectly duplicate.
But they can perfectly duplicate VeriSign/RapidSSL/etc. certificates because they have access to their systems.
Not exactly. GRC is right if there is no cooperation between the intercepted site and the interceptor. Examples:
Bitcointalk has brand X SSL.
interceptor has control over brand X SSL authority
Bitcoin talk has still used its own private key that is unknown to EITHER brand X SSL or the interceptor. The fingerprint would be different.
Google has brand X SSL
interceptor has control over brand x SSL authority
Google GIVES interceptor private key*
The interceptor now has identical fingerprint.
* with this level of cooperation, interceptor could get all the data needed from Google alone without control over SSL authority.
