0

I've got a server that has domain and an SSL Certificate issued to that domain.

It's expected behavior that when an IP address is browsed, it redirects to the domain name of the server and the SSL Certificate is valid. e.g:

https://ip => https://example.com

In my case, if I put in the IP, it stays as an IP in the URL bar and the certificate becomes invalid.

https://ip => https://ip

My question is, is there a security risk if a server doesn't resolve it's domain name and stays on IP with an invalid SSL Certificate?

Crashie
  • 23
  • 4

1 Answers1

1

t's expected behavior that when an IP address is browsed, it redirects to the domain name of the server and the SSL Certificate is valid. e.g: ...

Actually in many cases the expected behavior is to get an error. This is at least the normal case on multi-domain systems (which are pretty common) since there isn't a unique domain name for the IP address.

And even in the rare case where only a single domain is on an IP address it is pretty normal that the IP address is not included in the certificate, so that the initial attempt of https://ip will already fail due to an invalid certificate.

My question is, is there a security risk if a server doesn't resolve it's domain name and stays on IP with an invalid SSL Certificate?

The security risk is not that it does not use a domain name but that the certificate does not match the name in the URL. It does not matter if the name in the URL is an IP address or a domain name, but it must be included in the certificate and the certificate must also be otherwise valid.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424