I'd appreciate if someone could shed some lights on the subject findings.
Is this a security problem having bank.com appearing on the SAN?
Hostname was discovered in the Subject Alternative Name (SAN) of the certificate presented by the service.
Asked
Active
Viewed 455 times
-1
Mike Ounsworth
- 57,707
- 21
- 150
- 207
Shabir
- 1
- 1
-
2Going to need more information. What domain are you getting the certificate from? What other domains are in the SAN? – AndrolGenhald Oct 10 '18 at 19:22
-
The finding says that hostname 'xxxxxx.com' was discovered in the SAN of the certificate presented by the service. There is only one domain. – Shabir Oct 10 '18 at 19:32
-
3@Shabir: it is perfectly normal that the certificate contains the name of the site you visit and that this information is contained in the SAN. These information are actually needed to validate the certificate and make sure that you visit the intended site instead of some server setup by an attacker. – Steffen Ullrich Oct 10 '18 at 19:39
-
Do you mean that "aaaaa.tld" appeared on a certificate for "bbbbb.tld"? – Ghedipunk Oct 10 '18 at 19:40
1 Answers
2
It sounds like you got a report with "SSL Certificate Subject Alternative Name Information Disclosure" in big scary letters and you're not sure what to do about it.
This is one of those things where 90% of the time it's not a problem and you can mark it as a false positive.
Here's how certificates and SANs work: when I tell my browser to connect to security.stackexchange.com, my browser expects the server to present a certificate containing this domain in a SAN. If you click the padlock, you'll see that the first SAN is DNS Name=*.stackexchange.com so we're good. On the surface there's nothing wrong with this.
The reason tools report "Information Disclosure" warnings for certificates is that sometimes people put more information than they should in a certificate. For example if the certificate listed the hostnames of each loadbalancer, that would be a problem because you're telling attackers what individual machines are on your network.
Bottom line: you'll need to look at what information is being "disclosed" in the SAN and ask yourself "Is this public information that someone needs to know in order to use our site, or does it give away secret information about our internal network structure?"
Mike Ounsworth
- 57,707
- 21
- 150
- 207
-
Thank you all for your response and comments. It is really useful hits. – Shabir Oct 11 '18 at 16:46