The meaning of certificates with common name not related to X509v3 Subject Alternative Name

turbozubur · March 14, 2023, 3:20pm

Hey guys
I was using https://crt.sh to look for my domain to see what certificates were generated and was surprised to see some strange results.
Looking at this result for example: https://crt.sh/?id=8565249705

You can see that the Subject>commonName = ropeholders.org.
But looking at the X509v3 Subject Alternative Name: area you can see a long list of domains completely unrelated to ropeholders.org, for example 360-dev.bevy.pl.

How can this be explained? Is this a security issue?
Thanks in advance!

Osiris · March 14, 2023, 3:22pm

I haven't checked, but this could be due to e.g. Cloudflare. Especially in the past (exact current practice is unknown to me) Cloudflare used to pool multiple sites that were using their free tier CDN service into a single certificate. And you had to have a payed service for a certificate for just your own site.

MikeMcQ · March 14, 2023, 3:36pm

Looks like there is some sort of CDN (Varnish based perhaps) so whoever set that up would be the one to ask about the cert details.

curl -I https://ropeholders.org
HTTP/2 200
...
x-served-by: cache-iad-kcgs7200101-IAD
x-cache: HIT
x-cache-hits: 1
x-timer: S1678807917.336907,VS0,VE1

And

curl -I ropeholders.org
HTTP/1.1 301 Moved Permanently
Server: Varnish
Location: https://ropeholders.org/

Bruce5051 · March 14, 2023, 3:48pm

Using this online tool https://sitereport.netcraft.com/ shows both

Are DNS mapped to the same IPv4 Address 151.101.65.195 and are hosted by Fastly, Inc.
https://sitereport.netcraft.com/netblock?q=SKYCA-3%2C151.101.0.0%2C151.101.255.255
https://sitereport.netcraft.com/?url=https://ropeholders.org
https://sitereport.netcraft.com/?url=https://360-dev.bevy.pl

turbozubur · March 14, 2023, 4:01pm

We were using firebase at some point and I think Firebase are using fastly, so perhaps that is the cause.
Is there any security risk in such behavior or its generally common for CDNs to operate in such way?

petercooperjr · March 14, 2023, 4:52pm

Yes, it's generally common and not particularly concerning.

Not really beyond the general security risk of using a CDN in general: Your CDN is "in the middle" of the transaction, and so can impersonate your site and monitor the traffic between your users and you. That's basically the service they're selling you, so maybe "security risk" isn't quite the right term, but if they get hacked or have a terrible bug or whatnot, it might impact you in a way that you'd wish you'd have gone with a different provider or hosted it yourself.

griffin · March 14, 2023, 7:40pm

Yep, they are well-known for combining unrelated SANs.

rg305 · March 14, 2023, 7:46pm

But it's actually Fastly this time!:
ARIN Whois/RDAP - American Registry for Internet Numbers

system · April 13, 2023, 7:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Someone listed my domain in their certificates "Subject Alternative Name" Issuance Tech	3	4003	February 3, 2016
Certbot - Multi Domain Certificates using X509 V3 SAN Fields Help	4	2549	June 30, 2017
X509lint "Policy information has qualifier other than CPS URI" Issuance Policy	2	2295	November 30, 2016
SSL certificate has another domain for the "subject", and erroneous domains Help	28	804	June 7, 2022
Common Name is not always identical to the first domain in the order Help	3	464	April 9, 2020

The meaning of certificates with common name not related to X509v3 Subject Alternative Name

Related topics