0

My daily job duties brought me (by mistake) to the following IP: 52.63.96.32

It appears the registrar has signed with a single certificate a "lot" of domain. https://www.shodan.io/host/52.63.96.32 enter image description here

Am am right to assume that:

  • This is information leakage, it discloses websites that aren't advertised on search engines.
  • The virtual web-servers all share the same VM The virtual web-servers all use the same certificate. therefore if the private key can be leaked/disclosed by one web server using an insecure SSL/TLS protocol.
  • Each customer should be concerned as this is potentially vulnerable to Meldown/Spectre ?

Also, If one of this website was to be compromised (Injection or XSS). Does it compromise other websites ?

And finally, Should I have any concerns if my company was hosting a website on this server ?

Florian Bidabé
  • 703
  • 4
  • 10

1 Answers1

5

First, it is perfectly normal for content delivery networks to have such certificates. And given the IP address this looks like Amazon AWS, possible their CloudFront service which serves as a TLS termination point and load balancer which then forwards the traffic to the appropriate system. This is actually typical behavior which you will also see at Cloudflare CDN. Therefore I don't think that this was a mistake.

This is information leakage, it discloses websites that aren't advertised on search engines.

I think that these sites have explicitly configured HTTPS access so that they get included in the certificate.

The virtual web-servers all share the same VM The virtual web-servers all use the same certificate. therefore if the private key can be leaked/disclosed by one web server using an insecure SSL/TLS protocol.

This certificate is probably used at a load balancer which then forwards the requests to different sites which in case of Amazon AWS are probably each in their own VM.

Each customer should be concerned as this is potentially vulnerable to Meldown/Spectre ?

No. Sharing the same TLS termination endpoint should not cause such problems.

Also, If one of this website was to be compromised (Injection or XSS). Does it compromise other websites ?

XSS is not an attack against the server. Other injections like SQL injection can be. But given that these are probably independent sites running in their own VM a compromise of one VM does not compromise the other one.

And finally, Should I have any concerns if my company was hosting a website on this server ?

No.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424