Accessing multiple sites via HTTPS produces different, unrelated content (Peugeot club via HTTPS)

Question

I've come across a random website Moodoo.cz. The interesting thing is that if you access it via the HTTPS: Moodoo.cz, the content completely changes. It is not that unusual - I guess server can serve different content for different protocols.

But I've found dozens of such websites that have the same content (Peugeot 205 Club forum) served on their HTTPS protocol, many of which are valid businesses. I am strongly convinced that most of these websites don't know about this happening and that it's just some misused security hole.

Can you explain (or at least make some educated quess) what security issue these websites share? What to check to ensure this won't happen to my website?

Following is a subset of websites I've found currently having the described issue. Naturally some of them will fix the issue in the future. You might also be asked to add a temporary security exception to view the content.

www.artatak.cz [HTTP] [HTTPS]
www.autodilykoci.cz [HTTP] [HTTPS]
www.blackdogs.cz [HTTP] [HTTPS]
www.cairns-esc.com.au [HTTP] [HTTPS]
www.czechmusic.org [HTTP] [HTTPS]
www.designconcept.cz [HTTP] [HTTPS]
www.hanes.cz [HTTP] [HTTPS]
www.kopprea.cz [HTTP] [HTTPS]
www.moodoo.cz [HTTP] [HTTPS]
www.mujdummujhrad.cz [HTTP] [HTTPS]
www.pribehy.info [HTTP] [HTTPS]
www.resultscoaches.cz [HTTP] [HTTPS]
www.spalicek.eu [HTTP] [HTTPS]
www.spectris-dot.com [HTTP] [HTTPS]
www.statspol.cz [HTTP] [HTTPS]
www.tonej.cz [HTTP] [HTTPS]
www.tuze.cz [HTTP] [HTTPS]

I checked the top one just to see if this is something affecting only your network, and I can confirm that it is not. I get the same result as you do. — Anders, Mar 06 '18 at 11:38
I do get the same result as you. I did a whois on a few random samples, several but not all seem to share name server data NIPAX.CZ. What you have found looks like some sort of dns compromise or some sort of serious misconfiguration. I'd suggest contacting the technical contact reported by Whois and letting the owners know. Interesting find! — iainpb, Mar 06 '18 at 11:40
This is simply a mass hoster with multiple domains on the same IP address - some have HTTPS configured and others don't. It is very common. There is no DNS compromise or any other kind of compromise. The main issue I see here is not the setup of the sites but that the OP assumes that it is perfectly fine to simply ignore the explicit browser warnings when accessing the site. If this would be the case the warnings would not be there and would not be designed to make it hard to continue. — Steffen Ullrich, Mar 06 '18 at 12:02
I'd like to point out that visiting the Moodoo site, there's an SQL statement visible on the page. Which seems very odd. — mickburkejnr, Mar 06 '18 at 15:03
Someone failed to properly setup [SNI](https://en.m.wikipedia.org/wiki/Server_Name_Indication) — n0rd, Mar 06 '18 at 21:29
Questions about the same issue on Webmasters SE ([“https://” refers to random site, \[…\]](https://webmasters.stackexchange.com/q/55685/17633) · [HTTPS and HTTP URLs point to different places?](https://webmasters.stackexchange.com/q/60385/17633)) and Stack Overflow ([Multiple sites per Apache server with SSL showing wrong site with HTTPS](https://stackoverflow.com/q/19070296/1591669)). — unor, Mar 06 '18 at 22:32

score 42 · Accepted Answer · answered Mar 06 '18 at 11:38

42

This is likely a server misconfiguration, since all those websites are served from 95.173.215.72.

When opening one of the websites via HTTPS, my browser warns me that the certificate common name, which must match the website domain, is invalid.

I guess those websites aren't supposed to be acccessible via HTTPS, since Apache isn't configured to deliver the correct certificate, and seems to load the default website (forum.205gti.org).

As far as I know, this isn't a security vulnerability.

answered Mar 06 '18 at 11:38

Benoit Esnard

13,942
7
65
65

Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/74164/discussion-on-answer-by-benoit-esnard-accessing-multiple-sites-via-https-produce). – Rory Alsop Mar 07 '18 at 19:44

Steffen Ullrich · Answer 2 · 2018-03-06T16:17:41.477

12

You might also be asked to add a temporary security exception to view the content.

This is a typical issue when multiple sites share the same IP address and some of these have HTTPS enabled and some not. In this case often a default certificate and site will be served where the certificates subject does not match the domain in the URL - and this results in a certificate validation failure which leads to the warning you see.

Given that users are not supposed to simply click through such warnings this simple means that the site is effectively (i.e. for users which don't skip warnings) not available by HTTPS. But, just being not accessible by HTTPS is not a security issue by itself. In other words: I fail to see a security problem here. And you also only claim that there is a security problem but don't really explain what it exactly is. Note that are alternative ways do deal with a situation where some sites on the same IP address have HTTPS enabled and some don't. Instead of serving some default site some setups simply serve nothing, i.e. result in some connection error. But essentially both cases mean that there will be no content served by the user.

But I see a different problem: you assume that it is ok just to ignore the explicit browser warnings and continue to access the site. If you have this mindset it is easy to mount a man in the middle attack against you since you will simply click through the same explicit warnings you get from the browser when visiting some site while being attacked. And being vulnerable to man in the middle attacks because of ignoring such warnings is the real security issue here.

edited Mar 06 '18 at 16:17

answered Mar 06 '18 at 11:50

Steffen Ullrich

184,332
29
363
424

I see a serious security problem here: When the default site happens to be an attacker, he can create a very convincing website to gather user credentials, for example. User can find those HTTPS links easily in Google search. And when the only thing that stops you from being served a malicious website with a trusted URL is a couple of clicks through some warnings, then I consider that a security issue. You can never base your security on expecting all people being smart. – Jeyekomon Mar 06 '18 at 12:43
@Jeyekomon: I agree that users who ignore browser warnings are more likely to enter their credentials into any convincing-looking site. Still, I see the main issue here that the user ignores the browser warnings in the first place and that the OP assumes that this is perfectly normal to do. If the warnings get ignored even more attacks are possible. – Steffen Ullrich Mar 06 '18 at 12:46
+1 This explains the underlying "issue" in complete detail, explains why this isn't actually a problem, and explains where the only actual problem exists. – Conor Mancone Mar 06 '18 at 14:59
_"Given that users are not supposed to simply click through such warnings this simple means that the site is not available by HTTPS"_ It certainly doesn't. A warning is nothing at all like a denial of service. The service is available, and serving the wrong content. I do agree that this is not a security vulnerability. – Lightness Races in Orbit Mar 06 '18 at 16:07
@LightnessRacesinOrbit: I've adapted the wording to make it clearer that I did not mean the absolute availability but the effective one, i.e. the one where users behave as it is expected and don't skip the warning (which most browsers make really hard to do anyway today). – Steffen Ullrich Mar 06 '18 at 16:19
@Jeyekomon I am not 100% sure, but I guess that Google will not index a site with an invalid certificate (bad hostname). – v6ak Mar 06 '18 at 17:58
@v6ak I am 100% sure, I tried it. Just search for "moodoo peugeot" (without the quotes) for example. – Jeyekomon Mar 06 '18 at 18:59
@Jeyekomon OK, thank you. According to https://whois.smartweb.cz/object/95.173.214.156/ , it is run by PROZETA,-NET a Czech company. It seems that their website is both prozeta.net and prozeta.eu. They don't seem to care much about HTTPS even on their own website: when you try HTTPS there, you'll get a certificate mismatch on a certificate that is about one year expired. – v6ak Mar 06 '18 at 19:21

score 1 · Answer 3 · edited Mar 06 '18 at 21:40

Clearing up some questions, may or may not prove to answer the OPs immediate questions:

You can get an SSL Cert for multiple domains.
You can get an SSL Cert for a single IP.
The error thrown on https://www.hanes.cz is explanatory enough. The server is misconfigured in that the server is attempting to use the SSL cert for forum.205gti.org. Until this is corrected the connection is not secure.

You should report this issue to the server administrator.

score 1 · Answer 4 · answered Mar 08 '18 at 09:19

It looks like this site is hosting multiple sites with the same IP address.

Historically, you could only have one site (in this case the Peugeot club) using HTTPS per IP address which is probably the reason why this site has been configured like this.

This happened because the SSL/TLS handshake happened before the client sent the server the "Host" header which defines which site it is trying to access. Because the server did not know which site was being accessed, it would always use the same certificate for all requests.

Nowadays there is an extension to the TLS protocol called Server Name Indication that lets the client specify which host it is trying to access.

Unfortunately it took a very long time for web clients and even servers to implement SNI, so you still see site configurations like this in the wild.

Accessing multiple sites via HTTPS produces different, unrelated content (Peugeot club via HTTPS)

4 Answers4