0

My website is published on Google's Firebase Hosting. I own the domain. Google provision an SSL certificate (lately from Lets Encrypt, it used to be someone else). The certificate is shared between several domains using Subject Alternative Names. I don't own these other domains.

Once domain ownership is verified we will provision an SSL certificate for your domain and deploy it across our global CDN. This process can take several hours.

Domains will be listed as Subject Alternative Names in the FirebaseApp SSL certificate.

My question is: what would happen if a DNS hijack attack redirected requests to my domain to one of the other domains sharing the same certificate? A request to my domain would be received by one of the other serves sharing the certificate. How would the server respond? Would my browser accept the response? If not, how is this protected against?

Colonel Panic
  • 2,214
  • 2
  • 22
  • 23

1 Answers1

1

In the simplest case your domain at Firebase Hosting is sharing the same IP address with the other hosts mentioned in the same certificate anyway, which means there is nothing to actually DNS spoof.

If the IP address is not the safe and the DNS response can be spoofed to point to a different IP address serving the same certificate then both the server name inside the TLS handshake and the Host header inside the HTTP request will still have your domain in it. How the web server reacts to having a domain inside these headers which is not configured at the web server depends on the server configuration which also means the behavior might change over time. Typical behaviors are either sane responses like an error at the TLS level (unknown server_name), error at the HTTP level or an insane response of returning data from another domain at the server. I would expect that the server is configured in the sane way but have no way to test it. But if you know that the same certificate is actually employed on different IP addresses you can try it yourself:

$ openssl s_client -connect IP:port -servername example.com
GET / HTTP/1.0
Host: example.com
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424