Sponsored by:

Should you care about the quality of your neighbours on a SAN certificate?

We've all had bad neighbours before. Perhaps they were noisy, maybe the kids ran riot or they could have been just continually snaring all the visitor parking spots in your apartment building (bastards). But last week, someone popped up with another bad neighbour story which was quite different to usual...

Fellow MVP Paul Cunningham runs a blog over at paulcunningham.me and for the most part, it looks like any other ordinary blog:


Now being a forward-thinking bloke, Paul has elected to serve his blog over HTTPS and as I've advocated for many times in the past, he chose to go with Cloudflare to do it. It would have been a 5-minute job for Paul; create the site on Cloudflare, update his name servers, job done. And then Paul looked at the certificate on this site.

Now I'm always pretty open and direct about these things and since we're all adults here (probably), I'm just going to give it to you as it is. Here's what Paul saw when he looked at the cert:

SAN entries for Paul's certificate

I'm going to avoid listing all the sites in that list here as frankly, I have no idea what it would do to my SEO, but if you're genuinely curious I've dropped them into a Gist. These are "Subject Alternate Names" on what we know as a SAN certificate. The value proposition of a SAN cert is that you can fit multiple different names on the one certificate which gives you some economies of scale in terms of creating, purchasing and loading them. For a service like Cloudflare that offers SSL for free, this makes sense for them as they can combine up to 50 different host names on the one cert. Problem is, you never know who you're going to end up next to. In my case, I've got reasonable company on this blog, at least compared to Paul:

Other sites I own on the same SAN

Cloudflare kindly keeps multiple different sites under the same account together on the same cert so each of the ones I've highlighted here are all mine. There are many others that aren't, but I don't have quite the same, uh, "bedfellows" as what Paul does. (Incidentally, this can also serve as an oracle for identifying other assets potentially owned by the same Cloudflare account holder.)

Getting back to Paul, does it really matter? Yes, his neighbours are porn sites and I get that may not be a real professional look, but does it actually have any tangible impact on him? The certs are managed by Cloudflare so there should be no vector available for one of those sites to hijack your traffic, so what's the problem?

The closest I could get to a viable answer was "perception". People might look at Paul's site (or at least his cert) and pass some sort of moral judgement due to the other alternate names on the certificate. But frankly, if you're drilling down into the cert and looking at SAN entries, you've probably got a bit of an idea about what you're doing and would know that the other names are of no real consequence. Besides, if association with other sites is the measure by which a domain name is judged, you could easily do a reverse lookup and find all sorts of other sites sharing actual hosting space (or least sharing the IP address), which is arguably a closer association then the mere presence of a name on a SAN cert.

Be that all as it may, Paul (or others with a SAN containing some undesirable neighbours), can always just buy their way out of the whole conundrum by paying Cloudflare a monthly fee:

Dedicated SSL certificate

Paul ultimately elected to fall back to serving traffic directly from his "naked" site (no Cloudflare in front of it), but I honestly don't think this is too much of an issue either way. I just found it an interesting - if not amusing - example of how you can be inadvertently associated with sites of a very different nature to your own.

CloudFlare Security