Is there any risk associated with having lots of websites in your SAN list? For instance:
Or is this common among website hosts, and possibly safe?
Asked
Active
Viewed 71 times
2
AncientSwordRage
- 1,925
- 4
- 17
- 19
1 Answers
1
The risk is that all those websites share a public key and private key. That means that any of those sites could impersonate / man-in-the-middle another and you would still get the HTTPS padlock. For example, you could be browsing newrepublic.com, but if somehow your traffic was actually going to robertwalters.cn, your browser would have no way to tell.
That said, it's becoming quite common for companies that host more than one site to put them all on the same certificate. This saves costs; both the costs of purchasing the certificate from a Certificate Authority, and also annoyance of each cert expiring and needing to be renewed at a different time.
This is getting even more common with massive hosting providers like CloudFlare who host (or at least provide front-end services) for thousands (millions?) of websites. In these setups, your the HTTPS connection is between your browser and the CloudFlare front-end, and your traffic flows through CloudFlare's backend unencrypted. Since CloudFlare has the private keys for every website it fronts, does it really matter if they're all on the same cert?
Really what that tells you is that those sites are all hosted by the same provider. I don't think there's anything to worry about here.
Mike Ounsworth
- 57,707
- 21
- 150
- 207