[talk] SAN SSL Certificates

[Pete Wright]

So I've recently starting working for a company that manages quite a few 
websites around the states and noticed that one practice they have done 
here is use SAN (Subject Alternative Name) SSL certificates.  This 
allows them to purchase a single SSL certificate that is valid for I 
think up to 20 domains.

I had heard of this certificate type before, but thought its primary 
intent was to be used for internal AD domains management.  I've been 
looking around at some other publishers and have noticed a fair amount 
of other sites using this certificate type.

My initial thought is that this seems like an interesting attack vector. 
  For example if www.foobar.com has a SAN cert for a bunch of other 
domains, then I know they are all under one umbrella.  But also...I've 
found that most use-cases involve domains that appear to be middleware 
or backend services under these certs.  For example www.bloomberg.com's 
cert also is valid for:

fonts.gotraffic.net, bbg-img.bwbx.io etc...

Anyone thought about this with a more clear head than me?

-p


-- 
Pete Wright
pete at nomadlogic.org
nomadlogicLA