Throwing shade if you’re a “platform” using a wildcard for all the things Wildcard certs are awesome ( ). They allow you to easily use HTTPS/SSL on any number of subdomains, meaning your all your development subdomain endpoints can use a bare minimum of in-transit encryption without having to worry about cert provisioning via RFC6125 Let’s Encrypt et al. Unfortunately, there is a dark side to wildcard certs — using them in production environments. production environments on “platforms.” Particularly For example, ¹ uses the same wildcard cert for their organisation, as well as all of their hundreds (thousands?) of customers that use addresses. CMNTY <customer>.cmnty.com Platform customer using wildcard…could be ok. Main organisation on same wildcard…erm. I understand the utility (and administrative effectiveness) of using a wildcard certs for for “low value”, “high volume” customers. So have cake, eat too. ,² i.e. the bare name and use it for the “official” organisation. Just use a separate cert for your organisation cert-up cmnty.com Could even take things one-step further with a separate cert for your dev/staging resources ( ), on the off chance they’re publicly accessible for a preview or some such. *.dev.<domain>.com This little rant wouldn’t be complete without some props and drops… Props Brownie points if you bend it like GitHub and use an EV-cert. Questionable utility for non e-commerce sites, but what can I say, they look cool. How’ bout that “brand statement” on “security.” EV for the win Drops³ ⁴ https://auth0.com https://www.squarespace.com https://www.wix.com Footnotes [1] Yal just happened to be the unlucky site I was working with. No bone to pick with CMNTY…yet, working on more complete tear-down (insert: muhaha). [2] CMNTY uses as their canonical name. Causes a bit of a problem because the wildcard would cover…meep. At the risk of igniting a flame war on the merits of , suffice to say that unless you want to deal with writing custom ngnix rules, use non-www if you intend to use a wildcard for customers. [www.cmnty.com](http://www.cmnty.com) www vs non-www [3] To my surprise, it’s not just the www-folks who wildcard all the things. [4] For more on Auth0.

Transit

YouTube

Too Long; Didn't Read

Questions about cloud security? Get answers here.

Dev rant: Stop abusing wildcard certs

Too Long; Didn't Read

Companies Mentioned

Ryan M Harrison

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Dev rant: Stop abusing wildcard certs

Too Long; Didn't Read

Companies Mentioned

Ryan M Harrison

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES