HTTPS Certificate expires soon for the site


#1

I received an e-mail last month that seems legit, but since I cannot find any matches for it in Google, I have become suspicious. It was sent to the admin that LE has (I guess it’s somewhere in the cert).

Subject: HTTPS Certificate expires soon for the site www.example.com
From:  <https_misconfig@security-notifications.cs.berkeley.edu>
Body:

To the owner of www.example.com,

We are a team of computer security researchers at the University of California Berkeley and the University of Washington studying HTTPS configurations on websites.  We recently detected that the TLS certificate for your site will be expiring at X MST. All browsers may soon block users from accessing www.example.com with a security warning message if your certificate is not renewed.

If you have already renewed your TLS certificate, you can ignore this message. Thank you for making your website safer for your users.

When your certificate expires, browsers will be unable to verify that the connection to your server is secure, and will block users from accessing your site by displaying a full-screen security warning. This is done to protect users' browsing data, such as passwords, page content, and form data, from being intercepted or tampered with by a third party.

Here's how to fix this problem:

    Contact your certificate authority to renew your TLS Certificate
    Contact Let's Encrypt to obtain an up-to-date TLS certificate. 

    If you do not run your own server, contact your hosting provider to resolve this issue.
    Tell your hosting provider that the TLS certificate for your site is expiring soon, and needs to be renewed. 


For more information about these security notifications, please visit our website at: https://security-notifications.cs.berkeley.edu

Was this message helpful? Please take our survey: https://goo.gl/forms/X

I was surprised that this doesn’t break some kind of TOS.


#2

Hi @wonderment,

This appears to be a real project:

https://security-notifications.cs.berkeley.edu/

However, I don’t know how they got your e-mail address, unless it’s just webmaster at your domain. Your e-mail address is not included in your certificate.

I know some people in that department, so I can inquire further about this if you’re interested.


#3

Thanks @schoen

It’s admin@ the domain. I am interested in knowing if this really is real (I get a reminder from LE after all), and why it seems nobody has ever pasted the e-mail anywhere that Google indexes (apart from this page now). So I would be interested if you could inquire.


#4

Is your certificate expiring soon? Has it already been renewed?


#5

I heard back from the researchers at Berkeley and they said that they are using the public whois data for the domain name in order to find the contact to e-mail. So, probably your admin address is listed in your whois records for your domain.

People might question the etiquette about using this data this way (although if it were a manual rather than automated e-mail, I imagine most people would consider it pretty reasonable), but at least that appears to solve the mystery about where the e-mail address came from.


#6

@mnordhoff it was expiring soon, but got renewed by a cron job.

@schoen the admin address is listed in whois, but the whois header states that the information there should not be used… Thanks a lot for investigating! (I hope that other people will find this thread when they search!)


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.