On Mon, Apr 10, 2023 at 3:30 PM <pe...@easthope.ca> wrote: > > Noticed this oddity when working with the new service. > > $ nslookup hornby.islandhosting.com > Server: 192.168.0.1 > Address: 192.168.0.1#53 > > Non-authoritative answer: > Name: hornby.islandhosting.com > Address: 158.69.159.172 > Name: hornby.islandhosting.com > Address: 2607:5300:203:66b5:: > > $ nslookup mail.easthope.ca > Server: 192.168.0.1 > Address: 192.168.0.1#53 > > Non-authoritative answer: > mail.easthope.ca canonical name = easthope.ca. > Name: easthope.ca > Address: 158.69.159.172 > > As expected, login at https://hornby.islandhosting.com:2096 and at > https://mail.easthope.ca:2096 appear equivalent. > > But for URL https://158.69.159.172:2096 Firefox warns, > > "Warning: Potential Security Risk Ahead > > Firefox detected a potential security threat and did not continue to > 158.69.159.172. If you visit this site, attackers could try to steal > information like your passwords, emails, or credit card details. > > What can you do about it? > > The issue is most likely with the website, and there is nothing you > can do to resolve it. You can notify the website’s administrator > about the problem." > > What is the risk from an IP address? Misconfiguration at Island Hosting > as Firefox suggests?
The TLS certificate is bound to a domain, not an IP address: X509v3 Subject Alternative Name: DNS:*.islandhosting.com, DNS:islandhosting.com The risks are, it could confuse users and allow them to be tricked. Or it could be an attack, if the attacker controls the IP address. In either case, the result will likely be limited to loss of confidentiality. SO user passwords and user data could be lost to an attacker. Users should probably not short-circuit DNS by using an IP address since so much of the web security model depends on domain names and DNS. You could ask your webhost to add an IP address to the SAN. I don't recall if the CA/B Baseline Requirements allow an IP address in the SAN, so a public CA may not issue one. I know the Internet's PKIX allows it, however. (PKIX and CA/B BR are two competing PKIs one the internet. PKIX is from the IETF; it is called the "Internet PKI". While CA/B BR is the CA/Browser Forum Baseline Requirements; CA/B is what browsers follow). $ openssl s_client -connect hornby.islandhosting.com:2096 -servername hornby.islandhosting.com | openssl x509 -text -noout depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA verify return:1 depth=0 CN = *.islandhosting.com verify return:1 Certificate: Data: Version: 3 (0x2) Serial Number: 85:26:95:89:5b:6b:35:7b:c3:19:5a:ce:61:95:01:7a Signature Algorithm: sha256WithRSAEncryption Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA Validity Not Before: Nov 19 00:00:00 2022 GMT Not After : Dec 20 23:59:59 2023 GMT Subject: CN = *.islandhosting.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cd:93:68:87:09:e4:b1:36:7e:ce:45:89:d5:25: 9f:88:47:0f:eb:cd:85:7b:08:d5:3c:0f:04:72:53: ee:99:e7:42:ef:18:a1:88:0b:5b:f7:9d:1f:5b:ea: af:52:04:99:a5:a8:9c:3c:c6:5a:bb:e6:39:82:86: 9a:4a:e4:ae:4c:b9:c4:e7:c6:6f:dc:4b:99:7d:7d: b9:70:c1:c6:9a:c7:90:7d:99:9b:34:16:50:4a:7b: 84:69:6e:a5:43:18:3d:c8:a7:e7:5b:31:66:ad:56: c5:48:9f:a9:ed:b4:a1:9d:3b:0d:24:67:13:cc:ce: bb:42:c9:35:f8:bf:39:a9:c4:aa:16:80:71:11:bf: 1c:bc:5e:53:2d:68:0a:36:b4:ed:79:0e:8d:aa:b1: 99:f1:26:75:e8:59:6c:95:d0:be:4a:55:fb:39:9f: f1:ad:7a:4f:f7:ed:60:ea:52:d9:75:6d:51:6a:3f: 54:61:08:35:ae:a0:94:ff:d3:35:98:7c:38:3e:d2: f3:57:fe:83:48:7a:cd:77:11:60:74:8f:fc:e5:f3: 12:c8:53:4a:fd:9c:e0:2d:6a:06:24:a9:39:8d:bb: 67:b8:d5:c1:13:44:c6:76:7c:bc:18:01:14:d3:36: 1f:29:87:7d:80:c5:90:c4:f0:ef:60:62:19:cb:b8: 08:63 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: 8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1 X509v3 Subject Key Identifier: DF:C3:D4:F5:31:BF:8F:CA:B9:66:9F:68:74:11:4A:BD:C3:C5:34:18 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.2.7 CPS: https://sectigo.com/CPS Policy: 2.23.140.1.2.1 Authority Information Access: CA Issuers - URI:http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt OCSP - URI:http://ocsp.sectigo.com X509v3 Subject Alternative Name: DNS:*.islandhosting.com, DNS:islandhosting.com CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : AD:F7:BE:FA:7C:FF:10:C8:8B:9D:3D:9C:1E:3E:18:6A: B4:67:29:5D:CF:B1:0C:24:CA:85:86:34:EB:DC:82:8A Timestamp : Nov 19 05:06:16.306 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:FE:EC:06:CB:34:C4:79:02:85:FC:71: BF:D6:16:D9:2D:D5:D5:07:00:B8:60:4D:01:32:4E:57: 20:38:14:0C:A1:02:21:00:9C:C5:48:E8:83:7C:78:96: 03:F8:76:6F:7F:AA:A2:7E:3A:93:F9:40:20:17:E5:BA: 8E:8F:E1:9D:D6:EA:DF:03 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84: 16:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52 Timestamp : Nov 19 05:06:16.242 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:5A:84:64:20:6C:EE:89:68:D8:32:45:7D: 5C:54:23:C6:0C:13:C4:0B:AE:84:CB:C8:AF:F9:72:66: A2:6D:CF:0C:02:21:00:DF:53:9B:A0:CD:79:10:FB:AA: C0:9D:75:D1:D5:8B:97:01:8C:2F:81:15:A4:B8:5D:7B: AE:C8:26:A9:8B:25:C5 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9: 03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E Timestamp : Nov 19 05:06:16.217 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:C0:09:AD:6A:35:93:83:DD:5F:E8:92: C0:77:0F:FC:B4:C2:76:9C:D9:04:D2:68:97:B9:12:08: E7:F9:0C:5F:59:02:20:60:59:7E:8B:E1:56:5B:C4:86: E4:FD:FA:28:94:43:1C:7D:DA:6D:AF:CD:C6:BE:E3:B3: E7:AF:19:F8:59:B3:78 Signature Algorithm: sha256WithRSAEncryption Signature Value: 77:13:13:2b:47:eb:88:0c:fd:eb:d0:e2:ef:94:6b:ff:fa:ce: 3e:f5:90:c6:d6:14:32:42:a4:de:0d:bc:d7:7e:38:87:d6:19: d8:68:72:36:05:17:07:f3:6e:b4:7b:92:22:3a:b3:bd:7d:e2: 01:8b:0e:f9:6a:97:b8:72:d4:0b:a8:28:f5:45:af:09:94:2e: e9:a0:23:14:bc:b0:9a:ab:b0:ad:00:f0:0a:02:1a:e3:fd:56: f3:70:48:2c:9c:4e:96:fe:10:e4:75:50:5d:81:73:9f:2f:f5: 56:92:8e:1c:2e:6d:bc:9b:22:3c:30:c0:2b:3c:a3:69:9e:9a: 6e:c5:de:81:e9:ee:17:df:c2:e8:95:f8:35:46:2f:a6:a6:4d: 39:56:2b:49:3d:8f:ab:86:aa:48:7f:a1:35:d5:96:57:e0:d3: ef:1e:bc:49:1f:e1:62:bc:82:a8:49:4e:7c:7f:f7:04:83:e5: d7:c8:e0:29:b2:7d:ed:5c:87:cb:0b:52:cd:e2:52:76:dc:c5: 3f:04:bc:49:a3:73:82:87:ed:47:6c:bf:9e:02:29:9b:19:bd: 9c:b4:d8:4b:2e:05:54:41:a5:d3:25:30:80:7d:c9:61:6e:85: 3c:4a:d4:47:aa:4b:a6:fd:45:41:0f:5a:3d:45:54:b9:e5:94: 4e:1f:0b:4a Here's what a certificate request configuration file looks like with an IP in the SAN: https://www.cryptopp.com/wiki/X509Certificate#OpenSSL_x509 . But like I said, I'm not sure a public CA will issue one since the CA/B BR may not allow it. Jeff