twitter facebook rss

Misleading Certificates

Posted by on March 12, 2016.

I’ve been training people in security awareness for a long time now. It’s how I make my living. One of the topics I always cover is how to use the web safely. You’ll notice that I refer to using the web, rather than browsing it. That’s because the web nowadays is a two-way process. We no longer merely read stuff that someone else has written. Instead, we interact with web sites and often type stuff into our browsers. Stuff which is often confidential, such as credit card numbers and other personal information.

As we all know, you shouldn’t enter personal data into a web page without first checking that the page is encrypted. Which means checking for an https protocol and the padlock symbol. If you’re feeling particularly paranoid you can also view the certificate and check that the domain it’s protecting is the one you’re looking at.  At least, that’s what I’ve always taught people.

No one has ever come back to me with a concern that there’s a mismatch between the certificate’s listed domain and the one they’re browsing. And yet, there are actually millions of sites which exhibit just such a behaviour and yet are perfectly secure.

The reason is something called SAN certificates, or Subject Alternative Names. A single SAN certificate allows you to protect up to 25 separate URLs. However, most browsers only show the primary one unless you know how to view the full properties for the cert and thus reveal the other domains it protects.

Here’s a real example. Head to the Government’s HMRC tax web site at and click on the certificate icon in your browser to examine it. Both Chrome and Firefox will tell you that the site is indeed protected and that the certificate relates to Really?  Only by examining the detailed properties of the cert do you see the full list of domains to which it applies.

Personally, if I’m securing multiple domains I prefer to keep a separate certificate for each one. For the sake of a few quid, it means that users see what they expect to. And if there’s ever a problem with the certificate, you end up with only a single broken web site rather than 25.


Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Robert Schifreen |