Is there a security reason not to use a wildcard cert other than manageability and exploitation if used on multiple servers?

security ssl https
8,543

Solution 1

The only other 'gotcha' that I'm aware of is that Extended Validation certificates cannot be issued with a wildcard, so it's not an option if you're going for an EV certificate.

In terms of the security, you've hit the nail on the head - a single private key protects all domains that are under the wildcard. So, for instance, if you had a multi-domain SAN cert that covered www.example.com and something.example.com get compromised, only those two domains are at risk for attack with the compromised key.

However, if that same system were instead running a *.example.com cert to handle SSL traffic for www and something subdomains and were compromised, then everything covered by that wildcard is potentially at risk, even services not hosted directly on that server - say, webmail.example.com.

Solution 2

Security: If one server or sub-domain is compromised, all sub-domains may be compromised.

If you are using a single web server for your hundreds of virtual hosts then all the private keys would need to be readable by that web server process. If a person can compromise the system to a point were they can read one key/certificate, then they probably already have compromised the system to a point where they can grab all the private keys/certs used by that web server.

The keys are generally stored on the filesystem with privileges that will only permit root to access them. So if your system is rooted, then you probably have lost everything. Doesn't really matter if you have a single cert or many.

Management: If the wildcard certificate needs to be revoked, all sub-domains will need a new certificate.

If you are using a wildcard for *.example.org then you only need to replace a single certificate. If you have a cert for one.example.org, two.example.org, and three.example.org, then you have to replace 3 certificates. So the wildcard certificate is less work. So yes, that cert would be revoked and replaced, but since you only have to replace one instead of hundreds, it should be very easy.

Compatibility: Wildcard certificates may not work seamlessly with older server-client configurations.

Those system almost certainly need to be updated. They are almost certainly have many other vulnerabilities.

Share:
8,543

Related videos on Youtube

Gray Race
Author by

Gray Race

Updated on September 18, 2022

Comments

  • Gray Race
    Gray Race over 1 year

    I have a security advisor that is telling me that we can't use wildcard SSL certs for security reasons. To be clear I much prefer using single certs or multi-domain certs (SAN). However we have a need for the server (plesk) to server 100s of subdomains.

    Based on my research the main reason people site for not using wildcard is the following which appears to come from verisign:

    • Security: If one server or sub-domain is compromised, all sub-domains may be compromised.
    • Management: If the wildcard certificate needs to be revoked, all sub-domains will need a new certificate.
    • Compatibility: Wildcard certificates may not work seamlessly with
      older server-client configurations.
    • Protection: VeriSign Wildcard SSL Certificates are not protected by NetSure extended warranty.

    Since the private key, cert, and subdomain will all exist on the same server... replacement would be as simple as replacing this one cert and effect the same amount of users. Therefore is there another reason not to use a wildcard cert?

    • Univ426
      Univ426 almost 12 years
      The line is always grey, but more for your benefit, this might fit really well over on the IT Security SE. Those guys will have some great information too. Just a thought.
    • Skaperen
      Skaperen almost 12 years
      Can multiple subdomains (hosts in the same domain) share the same IP address when under a wildcard domain? I've never checked that before, but if they can, that would seem to be a justification to use a wildcard cert, to avoid having to use so many IP addresses. Otherwise I see it as saving certificate costs in exchange for disk of exposure (higher if spread over many machines).
    • Zoredache
      Zoredache almost 12 years
      @Skaperen, yes, with a wildcard certificate, you can host lots of different sites on a single IP.
    • Stefan Lasiewski
      Stefan Lasiewski almost 12 years
      Remember that the IP address does not appear in the SSL certificate.
    • Gray Race
      Gray Race almost 12 years
      The security advisor has relented when I presented my case and he couldn't come up with a good reason to not since we've isolated this down to a single server/service.
    • Robin Day
      Robin Day over 9 years
      The fact the wildcard is only used on one server/service does NOT mitigate the risk. If that server is compromised then any service or server running under that entire domain is then at risk, even if they have their own certificate. As soon your hacker has a private key for a certificate for *.yourdomain.com then they can man in the middle any server hosted on *.yourdomain.com.
  • David Sanders
    David Sanders over 8 years
    Isn't it true that some CA's offer a way to create many certificates for the same wildcard cert? In other words, they allow many different private/public key pairs for one domain's wildcard cert such that one private key being compromised does not cause any issues for the others.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why do I get browser warnings on my new lets encrypt ssl setup?
Does renewing SSL certificate require re-issuing the cert?
SSL session persistence and secure cookies
How to compare SSL certificates using AFNetworking
Does HTTPS/SSL make sense on a local network?
Is there an HTTPS Everywhere add on for Chrome, MSIE or safari?
How much information can my ISP see?
Why do some websites show the company name next to the URL?
Restart webserver without entering a password?
Wildcard SSL behaves inconsistently across browsers / OS's / computers