top of page
  • FC

The Problem with SSL/TLS Certificates

**Editors Note: This blog post was written a few months ago. Since the extraordinary number of sites exposed by this flaw, Cygenta tried to contact as many of the companies as possible. Given the length of time that has now passed, we believe that companies have had enough time to respond or fix this issue (surprisingly, many did not accept it as a problem).**


Since the change by Google to mark those sites that still serve data over the normal HTTP method as insecure, there has been an amazing amount of traffic on social media about how everyone should secure everything with a certificate. I agree that it is no longer a technical issue but an issue of perception by the public, everyone should encrypt everything end of discussion.


Well, sort of. I often go in to clients and notice that they try hard to do security correctly but can actually end up causing unintended insecurity because they don't have experience and training in this area (afterall, they are generally not a security firm).


So, now we have a billion people forced to install certificates onto their company website and do it in the cheapest and easiest way possible. What could go wrong?


The important thing to remember here is that people are just trying their best, but how does installing a certificate cause unintended insecurity? Let's take a look at a certificate:



This is how a certificate should look. Plain and boring, to be honest.


Now, let's look at a poorly configured certificate, one that someone has tried their best to do as quickly as possible:




Whoa there, wait, let's look at this properly. They have taken all the urls they own and bunched them under one certificate rather than multiple certificates. This results in a whole heap of urls that probably shouldn't be public, being listed here on the main website.


I am not saying that the issue around Subject Alternative Names is a new one, but the sheer scale of this now is a cause for concern.


So this got me thinking, what actually is the scale of this? The best way to find out is to write a tool to go over the internet and scrape out the SAN's (Subject Alternative Names) from certificates it finds and dump it into an easily searchable database.


We decided that scraping the entire internet was a little over the top for the purpose of examples for this blog post, so we cut it down to just around 1 million websites (insert dr evil gif here).


Here are the results:

More than 8 Million subdomains were revealed from 1 million initial sites.


Granted, a fair few of those are not worth our time. However, let's look at some other fairly well known urls that might be worth investigating:


sqlite> select count (*) from hosts where subdomain like "%cpanel%";

36063


Yikes! 36,000 cpanels, all directly connected to the internet and given away from the certificate of the main site.


What else could possibly be found? Well the list is almost endless. We have seen pre-production servers, administrative sites, UAT, beta and many other very interesting things so far.

63 views

Related Posts

See All

2 Comments


Agnes Lizzy
Agnes Lizzy
Oct 14, 2023

Contact him for any type of hacking, he is a professional hacker that specializes in exposing cheating spouses, and every other hacking related issues. he is a cyber guru, he helps catch cheating spouses by hacking their communications like call, Facebook, text, emails, Skype, whats-app and many more. I have used this service before and he did a very good job, he gave me every proof I needed to know that my fiancee was cheating. You can contact him on his email to help you catch your cheating spouse, or for any other hacking related problems, like hacking websites, bank statement, grades and many more. he will definitely help you, he has helped a lot of people, contact him on,…

Like

Janet Lucy
Janet Lucy
Oct 12, 2023

I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact:, Henryclarkethicalhacker@gmail.com and you can text, call him on whatsapp…


Like
bottom of page