These certificates are also referred as Multiple Domain or UCC and can be a mix of wildcards and Multi-Domains. So the Subject Alternate Name field could have multi sites or even with multiple wildcards.
e.g
site1.domainname.com
site2.domainname.com
site3.domain.org
site.domain2.com
*.yourdomain.com
*.someotherdomain.com
myname.domainxyz.com
site1.domain1.net
info.domainnamehere.com
asite.mydomain.biz
The Subject alternate Names field in the certificate will always show you he hosts that it can protect & regardless if they are wildcards or not.
e.g ( using openssl to read a x509 certificate details for multi domains)
And by picking a few hosts outs, we can match the certificate serial # to know that the same certificate is being used for the sites listed.
e.g ( using openssl to validate cert serials # )
This goes back to certificate chain of trust and anywhere along that chain that compromised can impact host(s). A attacker that compromise this certificate by gaining access to the private-key could in fact gain access to encrypted data for any of the domains list in the Subject Alternate Name.
- The advantage; of multiple Subject Address Names, you can protect multiple sites with just one certificate ( great for a webhosting business )
- The price could be better from a web-hosting or a enterprise corp that has multiple satellite DBA and where a "*" wildcard is not applicable
- From a SSL decryption the multiple names allows for a 1 configuration or ssl-decryption-policy for X amount of sites
- The dis-advantage, if the certificate is compromised and revoke, you can effect multiple sites from a risk , time or cost factor
- Any of the foreign website that uses this private-key for the certificate and has access , could potential have access to your data if they where MiTM ( man in the middle )
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment