0

I click a link with good content (this doesn't guarantee the site isn't compromised) and Firefox gives me this error:

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for example.net. The certificate is only valid for the following names: [A huge list of spamy and pornny sites]

I wonder in what situation this happens?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Ooker
  • 1,529
  • 1
  • 13
  • 17
  • The error message explains " it uses a certificate that is not valid for example.net". Are you asking how a site can use the wrong certificate? – schroeder Sep 27 '21 at 09:16
  • I wonder whether a certificate that is only valid for spamy sites a good certificate? And if so, then why did the example.net site have it in the first place? – Ooker Sep 27 '21 at 09:20
  • Certificates are not good or bad. They are simply tied to certain sites. Just as a house key is not good or bad; those living in the house are good or bad. As for why this site used that particular certificate, then, as I said before, we'd need to see that certificate. Without the technical details, we're only guessing. We'd need the site you were visiting, too, to compare. – schroeder Sep 27 '21 at 09:30
  • I understand that a key is not good or bad, but a key that is used for a lot of bad houses makes me wonder if there is a kind of key that is specific for bad houses? – Ooker Sep 27 '21 at 13:42

2 Answers2

2

Running the site through a TLS checker (I got the URL from your meta question), the checker shows that the site is using the wrong certificate. So, it is not just you or some problem with your connection or a man-in-the-middle problem.

The likely answer is that the site owner or the admin of the hosting site installed the wrong certificate or there has been a configuration error on their side.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • What does "wrong" here mean? Is it "incorrect" or "bad"? Assuming this error is unintended and there is no attack, then how would making an error lead you to install a different certificate? I mean something like having a typo in the code and you always guarantee that the code will still run (different outcome, yes, but it doesn't gives error) – Ooker Sep 27 '21 at 13:49
  • "wrong" means "the wrong house key. Or, more accurately, the wrong ID document. Certificates certify the ID of the server. Please look up how TLS works and how public key cryptography works. https://security.stackexchange.com/questions/20803/how-does-ssl-tls-work – schroeder Sep 27 '21 at 13:54
0

That just means that the site is poorly configured. On the other hand, spammy and porny site can make money, and can be seriously administered. So finding certificates for them is not a surprise.

What can be the cause of that?

  • the site has indeed be compromised and the hacker has used a certificate that they once obtained for the porny sites. Yes it is possible
  • the site is hosted in a large datacenter that also hosts the porny sites. It has erroneously be connected to a reverse proxy that is configured with a certificate for the porny-spammy sites. It is possible too

If a site presents a correct certificate obtained from a reputable source (for example one that is trusted by Firefox or Chrome) then you can trust that you are reaching the expected site, but it cannot be an evidence that the site itself was not compromised

If a site presents an expired certificate, or a certificate not valid for that URL or a certificate from a source that Firefox does not trust, it just means that the administrator was uncautious or just did not care. Firefox warns you that it cannot certify that the name has reached the expected server, full stop. It has nothing to do with the site being compromised. It is easy for attackers that want to redirect traffic to change one letter in the URL and that way be able to present a valid certificate...

Serge Ballesta
  • 25,952
  • 4
  • 42
  • 84