Meet your internet neighbors – sharing SSL keys with strangers

print
You may think I’m pulling your leg, when I say that you share encryption keys with an adult content website, road sweepers West Sussex, or hackers trying to impersonate Apple. But that’s exactly what happens when you use a free (CDN) service with HTTPS.

Click here to check your neighbors with our https://keychest.net , have fun, and share your findings!

KeyChest – a thorough certificate check

While working on our web security scanner and planning tool KeyChest, we realized that free web security has its downsides. We use Cloudflare to handle peak traffic on this blog. One of their free services is HTTPS – the green padlock or text “Secure” next to your website address.

A security warning of mis-configured websites.

One needs to get a certificate for their website to show the green, trustworthy, reassuring “Secure”. Rather than a warning that your website is insecure, or even a big red triangle warning your visitors about the dangers of lions ahead, if they decide to visit your website nevertheless.

Now, Cloudflare and other content delivery networks (CDN) provide a free-tier service. They can do it as they own all the infrastructure they need to cache and speedup your website.

The only thing they have to buy are certificates and they try to be clever and minimize the cost. One of the things they can do is to create one certificate for several domains to reduce the cost per domain. If you are a free-tier client, you suddenly get a bunch of neighbors sharing the same encryption key.

Check your neighbors with our https://keychest.net , have fun, and share your findings!

Random examples

I have looked at 40 random certificates issued for CloudFlare and here are some interesting bits of information I found.

Number of your neighbors

Number of neighbors in 40 random Cloudflare certificates.

The median for the number of certificate “neighbors” was 23 but you can have as many as 48 of them.

Location of your neighbors

If you wonder whether your neighbors are local or from the other side of the world, here is a distribution of top domains I found. The chart shows the top level domains with at least 2 servers, and there were another 38 top level domains with just one server present.

Appearance of top domains in 1,090 random Cloudflare clients.

.com is not a surprise, .tk, .cf, and .ga are free domain services. .top is one of the new domains, just like .xyz. The first national top domain in the chart above is Bulgaria, followed by Russia, and the UK.

What are neighbors like

This is where it starts becoming fun but also a bit awkward. The good news first – only 3 servers (out of 1,090) trying to impersonate someone else (Unicode domains Phishing).

There are many server addresses, which either don’t work or don’t welcome random web visitor.

The chances are that at least one of your neighbors you “share” your HTTPS key with provides adult content.

You may be lucky and have neighbors like:

  • food management in Argentina – alimentaria.com.ar
  • Turkmenistan transportation – dostavka.tm
  • Jamie Oliver’s restaurant – fifteencornwall.org
  • puzzles for children – fomuvi.ru
  • a farming simulator (in Russian) – fs2015mod.ru
  • a blog about buckwheat – grechkalife.ru
  • … with a funny odd one: useful technology links – usefulsh.it

You can have some fun neighbors, like John Bradshaw Guns, who is in the neighborhood of:

  • road sweepers west sussex;
  • security gate installations;
  • toilet for hire;
  • marine engineering essex;
  • welding machines; or
  • service dating rotterdam (no, this is not a dating service).

You may also be quite unlucky like a nice blog helping people with debt consolidation. They have 46 neighbors with most of them being Chinese adult websites like 1749554.top or 2613239.top .

If you use Cloudflare, or other CDN service, feel free to check your neighbors at https://keychest.net , have fun, and share your findings!

A piece of good news

It seems that Cloudflare is trying to make this uncomfortable meet-your-neighbor situation bearable within reason. If you register main domains with Cloudflare, a certificate generation system puts all your domains into the same certificate. This reduces the chance of having a neighbor you’d rather never know about.

 

Published by

Dan Cvrcek

Founder and CEO of Enigma Bridge, engineer, entrepreneur, cryptography SME, security architect, and professor.