0

I recently Googled a website e.g A.com and found B.com in search result at the top. In reality A.com should be on top as B.com doesn't have anything in common or related to A.com but Google shows it in search result at top. In fact all meta tags / keywords are not there in B.com Now the interesting part is, when I visit B.com, browser does show me a warning. I ignore it and visit the website. Interestingly, all the content is from A.com. Even the contact form submitted is received by A.com. When I visit B.com without https original B.com is shown, whereas if I use https://B.com, then A.com is shown (browser url bar shows B.com with security warning)

1] Now I wonder why this is happening? 2] Has B.com installed A.com certificate by mistake? 3] If so, how can they get private key for that purpose? 4] Why Google is showing that website in search results?

Alkemi
  • 3
  • 1
  • 1
    We have no way (besides guessing) to know what is the matter as long as you don't tell us the names of the websites. Please [edit] your question to do so. – guntbert Jun 04 '19 at 19:27

1 Answers1

3

2] Has B.com installed A.com certificate by mistake? 3] ´If so, how can they get private key for that purpose?

Probably A.com and B.com are both hosted at the same server and have the same IP address. It is a common (mis)configuration of the server that if there is no certificate configured for B.com then it will use a certificate of another domain at the same IP address, in this case A.com. In other words: B.com does not explicitly use the certificate for A.com but it just happens to be the implicit fallback certificate on the host which serves both A.com and B.com.

1] Now I wonder why this is happening? ... 4] Why Google is showing that website in search results?

It looks like Google's web crawler does not really care about the validity of the certificate when crawling a web site and thus https://B.com ends up to be indexed despite this configuration problem with the content of https://A.com and thus also shows up in the search results with this content. And the crawlers of Microsoft Bing and Baidu seem to ignore invalid certificates too since they also show up in the logs of a domain I explicitly serve for such tests with an invalid certificate.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424