You may think I’m pulling your leg, when I say that you share encryption keys with an adult content website, road sweepers West Sussex, Ferrary Centre, or hackers trying to impersonate Apple. But that’s exactly what happens when you use a free (CDN) service. Click here to check your neighbors with our https://keychest.net , have fun, and share your findings! While working on our web security scanner and planning tool , we realized that free web has its downsides. We use to handle peak traffic on this blog. One of their free services is HTTPS — the green padlock or text “Secure” next to your website address. KeyChest security Cloudflare One needs to get a certificate for their website to show the green, trustworthy, reassuring “Secure”. Rather than a warning that your website is insecure, or even a big red triangle warning your visitors about the dangers of lions ahead, if they decide to visit your website nevertheless. Now, Cloudflare and other content delivery networks (CDN) provide a free-tier service. They can do it as they own all the infrastructure they need to cache and speedup your website. The only thing they have to buy are certificates and they try to be clever and minimize the cost. One of the things they can do is to create one certificate for several domains to reduce the cost per domain. If you are a free-tier client, you suddenly get a bunch of neighbors sharing the same encryption key. Check your neighbors with our https://keychest.net , have fun, and share your findings! Random examples I have looked at 40 random certificates issued for CloudFlare and here are some interesting bits of information I found. Number of your neighbors The median for the number of certificate “neighbors” was 23 but you can have as many as 48 of them. Location of your neighbors If you wonder whether your neighbors are local or from the other side of the world, here is a distribution of top domains I found. The chart shows the top level domains with at least 2 servers, and there were another 38 top level domains with just one server present. .com is not a surprise, .tk, .cf, and .ga are free domain services. .top is one of the new domains, just like .xyz. The first national top domain in the chart above is Bulgaria, followed by Russia, and the UK. What are neighbors like This is where it starts becoming fun but also a bit awkward. The good news first — only 3 servers (out of 1,090) trying to impersonate someone else ( ). Unicode domains Phishing There are many server addresses, which either don’t work or don’t welcome random web visitor. The chances are that at least one of your neighbors you “share” your HTTPS key with provides adult content. : You may be lucky and have neighbors like food management in Argentina — alimentaria.com.ar Turkmenistan transportation — dostavka.tm Jamie Oliver’s restaurant — fifteencornwall.org puzzles for children — fomuvi.ru a farming simulator (in Russian) — fs2015mod.ru a blog about buckwheat — grechkalife.ru … with a funny odd one: useful links — technology usefulsh.it You can have , like John Bradshaw Guns, who is in the neighborhood of: some fun neighbors road sweepers west sussex; ferrari centre; security gate installations; toilet for hire; marine engineering essex; welding machines; or service dating rotterdam (no, this is not a dating service). You may also be quite unlucky like a nice blog helping people with debt consolidation. They have 46 neighbors with most of them being Chinese adult websites like 1749554.top or 2613239.top . If you use Cloudflare, or other CDN service, feel free to check your neighbors at https://keychest.net , have fun, and share your findings! A piece of good news It seems that Cloudflare is trying to make this uncomfortable meet-your-neighbor situation bearable within reason. If you register main domains with Cloudflare, a certificate generation system puts all your domains into the same certificate. This reduces the chance of having a neighbor you’d rather never know about.

Apple

BUNCH

Too Long; Didn't Read

Questions about cloud security? Get answers here.

Not kidding. You share SSL key with ferraricentre! (and luxurymobiletoilet)

Too Long; Didn't Read

Companies Mentioned

Dan Cvrcek

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Not kidding. You share SSL key with ferraricentre! (and luxurymobiletoilet)

Too Long; Didn't Read

Companies Mentioned

Dan Cvrcek

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES