Should we be concerned about SAN Neighbours?

Should we be concerned about SAN Neighbours?

I've done quite a lot of encryption related stuff recently, it's mostly been HTTPS. This article is about something I've always had at the back of my mind when dealing with SSL certificates. Today, we will be going into detail about what an SSL Certificate can "cover". If, like me and a LOT of other people you want your website to be accessible via HTTPS then you of course need a SSL (well, technically speaking it's a TLS) certificate. Nowadays these certificates are issued to the domain(s) you request and this is what this article is about.

A brief look at how SSL certificates are issued

Let's say we want a new certificate for the domain owennelson.rocks. What we need to do is generate a Certificate Signing Request (CSR) and private keys on the web server where we wish to use the certificate. Now we need to send the CSR to a certificate authority (in my case Let's Encrypt. They will run some form of validation to check you actually control the domain listed in the CSR. Once these check(s) have been passed they proceed to issue you a certificate which you can then install on your web server and bam, SSL!.

What if I have multiple (sub)domains?

Now this is what I wanted to talk about, you can actually get a single SSL certificate that covers multiple domains. These work by having a primary domain then what is known as Subject Alternative Names (SAN). Here's the SAN entries on the certificate for this site:

It's rather handy isn't it? So I could have say, 30 domains all in one certificate! It saves vast amounts of money (unless like me you're using Let's Encrypt to get free SSL Certificates anyway, Woo!) as well as the complexity of multiple separate certificates.

Okay... Is there a point to all of this?

Well, yes. If you're using something like CloudFlare (who are a CDN, DNS and anti-DDoS provider amongst other things) and have SSL enabled then they will issue a free SSL certificate.

Here's a picture of the SSL Certificate SAN entries on one of my sites:

As you can see, there's quite a list of other domains on top of my two (on-tech.co.uk and owennelson.co.uk). For me these other entries aren't problem but on some of my other sites there's some rather questionable ones.

SAN Neighbours

It's a bit of an interesting topic, I could be running a school website using CloudFlare and have some very dodgy websites sharing an SSL certificate with me. I mean, security wise there isn't much concern. Only CloudFlare has the private keys for the certificate so we can't go messing with each other’s traffic or pretending to be each other.

I suppose you could use the SAN entries to identify potential domains owned by the same person as CloudFlare likes to group domains under the same account together. Even this wouldn't be too effective unless your domains are similarly names. Then there's the fact that if you know that you can find other domains in the SSL SAN area then you're going to know easier ways of finding other sites run by the same person.

Let's take a step back and remember that the vast majority of people aren't going to even check if a site is using HTTPS let alone know how to inspect the certificate. There's also the fact that the minority who do know how to find it are probably going to have a reasonable idea what it actually means anyway.

For me personally, I'm not a huge fan of being associated with distasteful content even if it is in such a minor and meaningless way. In fact, I don't actually use CloudFlare on my blog but that's down to other reasons which I'll talk about some other day.

Now that you know about the SAN part of SSL certificates if you didn't already (in which case I apologise to both of you) I'd love to hear your opinion on these "SAN Neighbours".

Owen Nelson

Owen Nelson

https://owennelson.co.uk

IT Systems Administrator from Northamptonshire, UK. Always on the lookout for ways to make things faster and more secure - and I enjoy getting through a fair bit of Tea along the way.

View Comments