Meet your internet neighbors – sharing SSL keys with strangers
While working on our web security scanner and planning tool KeyChest, we realized that free web security has its downsides. We use Cloudflare to handle peak traffic on this blog. One of their free services is HTTPS – the green padlock or text “Secure” next to your website address.
One needs to get a certificate for their website to show the green, trustworthy, reassuring “Secure”. Rather than a warning that your website is insecure, or even a big red triangle warning your visitors about the dangers of lions ahead, if they decide to visit your website nevertheless.
Now, Cloudflare and other content delivery networks (CDN) provide a free-tier service. They can do it as they own all the infrastructure they need to cache and speedup your website.
The only thing they have to buy are certificates and they try to be clever and minimize the cost. One of the things they can do is to create one certificate for several domains to reduce the cost per domain. If you are a free-tier client, you suddenly get a bunch of neighbors sharing the same encryption key.
I have looked at 40 random certificates issued for CloudFlare and here are some interesting bits of information I found.
Number of your neighbors
The median for the number of certificate “neighbors” was 23 but you can have as many as 48 of them.
Location of your neighbors
If you wonder whether your neighbors are local or from the other side of the world, here is a distribution of top domains I found. The chart shows the top level domains with at least 2 servers, and there were another 38 top level domains with just one server present.
.com is not a surprise, .tk, .cf, and .ga are free domain services. .top is one of the new domains, just like .xyz. The first national top domain in the chart above is Bulgaria, followed by Russia, and the UK.
What are neighbors like
This is where it starts becoming fun but also a bit awkward. The good news first – only 3 servers (out of 1,090) trying to impersonate someone else (Unicode domains Phishing).
There are many server addresses, which either don’t work or don’t welcome random web visitor.
The chances are that at least one of your neighbors you “share” your HTTPS key with provides adult content.
You may be lucky and have neighbors like:
- food management in Argentina – alimentaria.com.ar
- Turkmenistan transportation – dostavka.tm
- Jamie Oliver’s restaurant – fifteencornwall.org
- puzzles for children – fomuvi.ru
- a farming simulator (in Russian) – fs2015mod.ru
- a blog about buckwheat – grechkalife.ru
- … with a funny odd one: useful technology links – usefulsh.it
You can have some fun neighbors, like John Bradshaw Guns, who is in the neighborhood of:
- road sweepers west sussex;
- security gate installations;
- toilet for hire;
- marine engineering essex;
- welding machines; or
- service dating rotterdam (no, this is not a dating service).
You may also be quite unlucky like a nice blog helping people with debt consolidation. They have 46 neighbors with most of them being Chinese adult websites like 1749554.top or 2613239.top .
A piece of good news
It seems that Cloudflare is trying to make this uncomfortable meet-your-neighbor situation bearable within reason. If you register main domains with Cloudflare, a certificate generation system puts all your domains into the same certificate. This reduces the chance of having a neighbor you’d rather never know about.