Unknown Certificates against my domain


#1

Hi,

I wonder if someone could help me with a somewhat strange problem I have.

The domain we own is quazartech.com, which I manage and don’t actually have any problem with. In the process of setting up LetsEncrypt on another domain, I was led to SSLMate’s CertSpotter, and I figured I may as well set it up for this domain as well.

I find there are a large number of CA Certs issued to “sdkm.quazartech.com”. Each of these certificates includes about 50 domains, each with a seemingly random 4 letter prefix subdomain on a different root domain. These are all issued by Let’s Encrypt. I do not know what this subdomain is. I have checked our DNS records, and no such entry exists. I do not know what these certificates are, who they are being used by, or for what.

Should I be worried? Is there a way for me to invalidate these certificates?

Thanks
Shashank


Certificate signature failed
#2

All of the sibling domains appear to also be hosted by afraid.org and the subdomains appear to be random.

I don’t mean to alarm you but it does seem like something malicious could be going on. I’d email your DNS host about it (afraid.org).

Regarding revocation, there’s no way for you to easily revoke the certificate since you can’t get authorizations for any of the other domains. But there may be other avenues if it turns out something dodgy happened.


#3

Hi @chintal

your nameserver-settings:

nslookup -type=NS quazartech.com.

quazartech.com nameserver = ns1.afraid.org
quazartech.com nameserver = ns3.afraid.org
quazartech.com nameserver = ns2.afraid.org
quazartech.com nameserver = ns4.afraid.org

But in the FAQ of afraid:

http://freedns.afraid.org/faq/

What is the difference between a private and public domain?
Shared: Private - means the domain owner reserves the ability to reject hostnames that they deem slanderous or offensive.

Shared: Public - means anyone in FreeDNS can setup a hostname using that domain without the domain owner’s approval.

Non-Shared: Stealth allows you to remove your domain from all sharing mechanisms. Stealth is available to premium members in exchange for supporting the project.

So it looks like a feature of a shared public afraid.org - Domain that everybody can create a new subdomain.

Terrible - but it’s a feature, not a bug.


#4

I don’t think so. I checked the domain list and it’s a mix of private and shared domains. OP’s domain is private.


#5

“Private” may not mean what you would assume in this case:


#6

That make sense. So OP should be able to unshare their domain?


#7

My understanding is that this is only possible with the premium service. (Although I don’t know that for sure, I don’t have any domains hosted there myself - just going by my reading of their description)


#8

It is. Alternatively, it is the cost of using a free service.

I am in the process of moving out of afraid for the moment.

That said, it would seem that subdomains were created for a couple of days, used to generate SSL certs for whatever reason, and then destroyed. While I’m not entirely certain what the utility of such an action is, the how seems to make some sense. I’m not entirely certain such a fly-by-night sub-domain should be certified, but I suppose I do understand the technical difficulty filtering them out would present.


#9

Such subdomains are perfect phishing domains.

PS: https://www.freenom.com/ offers some free domains.


Ongoing abuse of afraid.org domains
#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.