Possibly malicious certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: app.vidorado.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Google Firebase

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Google Firebase Hosting

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hello,

I'm using Google Firebase to host my website and I've set up Certificate Transparency Monitoring at Cloudflare for my domain.

Until now I only got reasonable messages from the Cloudflare monitoring for my domains and at times I would expect them to happen. Now I got a weird message for the above domain. In this message there are many other domains listed along with my (sub)domain that I don't know (about 40-50 domains in total). And what is also weird: after I set up my domain in Firebase I got a message from Cloudflare about the issued certificate for app.vidorado.com and it contained only my subdomain as expected. The "old" correct certificate is valid until 23 June 2021 and therefore I didn't expect a new issued certificate right now.

I think a certicate should only contain domains and subdomains for one domain / site and not for multiple sites even if it would be hosted on the same server. Is that correct? (e.g. certificate should only contain app.vidorado.com and www.vidorado.com and not app.vidorado.com and www.example.com and example2.com and so on)

What should I do now? I think this not a valid certificate.

2 Likes
2

Hi @Dundl

that's wrong. If you have your own server, you can do it.

If you use another service, then that service can create one certificate with a lot of domain names (Letsencrypt: Max. 100 domain names).

There is nothing wrong.

That is a valid certificate. Accept it or don't use that hosting.

3 Likes
3

A hosting provider can build any certificate they want, as long as they really control ownership of those hostnames. CloudFlare does this themselves too by the way: huge certificates with huge numbers of hostnames in the SAN, all not related.

3 Likes
4

Ok, thank you both for your answers. Of course I will accept these circumstances. I was just a bit worried that there is something "fishy" going on. Thank you for reassuring that everything is fine.

Have a nice day!

2 Likes
5

Welcome to the Let's Encrypt Community :slightly_smiling_face:

We've fielded this exact same concern with Firebase many times here. No worries. You're certainly not the first to express this concern and you probably won't be the last. Better safe than sorry.

:blush:

1 Like
6

That's always a good instinct! Unfortunately, when using shared hosting, it's quite difficult to distinguish valid certs issued by the hosting provider or illicit certs issued by a third party. You could check in theory the IP addresses corresponding to the hostnames in the certificate: if all IP addresses are from a single hosting provider, it's probably issued by the hosting provider. However, a hosting provider server could also be hacked of course, so there's no 100 % certainty.

3 Likes
7

FWIW, I don't think CloudFlare does this anymore, or at least for me because of the number of domains I have on their system now. I have a few dozen domains on their system, and the recent certs for all have just covered 3 domains each:

{example.com}
*.{example.com}
sni.cloudflare.com

When they did bundle domains into certificates, Cloudflare attempted to bundle domains based on the owning customer. So you'd see at most 50 domains on a certificate (50 bare + 50 wildcard), but often it would be about 30-40 domains to account for expected growth before they would re-partition the Certificates. Domains 1-10 might belong to one person, 11-30 another, 30-40 a third. People complained over this design, because it suggested or exposed actual domain ownership.

2 Likes
8

I'm not sure if CF still does this, but the fact is that they added hostnames of multiple customers into a single certificate. It was just an example of a legitimate certificate with hostnames of multiple customers.

2 Likes
9

100% agreed with you. I'm just noting they may have (finally) stopped doing this. google/firebase obviously still does.

3 Likes
10

Hi @jvanasco

that's account specific. Sometimes, it's your's

sometimes there are (new) certificates with 60 - 90 different domain names.

But I don't use CloudFlare so I don't know the details.

2 Likes
11

I thought it also matters/mattered what plan you have/had. The free CF plan has/had aggregated certs and payed plans have/had separate certs.

2 Likes
12

I only have the Free/DNS tier for these domains. These domains do use Cloudflare as their Registrar though, so that may influence things.

However....

Aside from not being issued multiple-domain or multiple-customer certificates in a few years, I have not seen any such certificates issued to others "in the wild" for over a year.

Perhaps they still are, but:

  1. I haven't seen any questions pop up in this forum regarding this feature in years, and
  2. I have not seen a user who has posted issues with Cloudflare in recent years being issued any such certificate.

Before posting my comment above, I actually did search this forum for any mention of cloudflare and checked the crt.sh logs for a few dozen domains to confirm my suspicion they ended this practice -- I could not find any bundled certificates.

What I did see, is that Cloudflare underwent an infrastructure change over the past few years, and it seems to have finalized about a year ago.

The legacy system operated with a certificate showing a max of 49 "registered domain names", alongside a specific cloudflare subdomain. The specific domain appears to be a serial (you can iterate numbers above and below, and find valid A records), and is unique to the certificate bundle and/or bundle's lineage.

  • sni{numeric-id}.cloudflaressl.com
  • {example}.com * 48
  • *.{example}.com * 48

The new system allocates a dedicated cert for the registered domain, alongside a single cloudflare domain that is shared across all certificates.

  • sni.cloudflaressl.com
  • {example}.com
  • *.{example}.com

I do not know what Cloudflare is officially doing, but in addition to not seeing any bundled domains in quite some time, I also looked up many previously bundled domains (posted here and elsewhere) - and all had either migrated to the new system or left Cloudflare for LetsEncrypt.

Cloudflare could very well still be bundling certificates, but I have not seen them.

Then why did you bother posting the above? You haven't provided any information to support your personal opinion, and your comment admits you are unqualified to provide an answer.

4 Likes
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.