请选择 进入手机版 | 继续访问电脑版

营销策划

    今日:0| 主题:44767
收藏本版 (15)
网络、PC端、移动端的营销、策划实战和资讯。

[其他] Should you care about the quality of your neighbours on a SAN certificate?

[复制链接]
ぁ詠遠∝僾妳 发表于 2016-10-11 05:14:23
222 4
We've all had bad neighbours before. Perhaps they were noisy, maybe the kids ran riot or they could have been just continually snaring all the visitor parking spots in your apartment building (bastards). But last week, someone popped up with another bad neighbour story which was quite different to usual...
  Fellow MVP Paul Cunningham runs a blog over at paulcunningham.me and for the most part, it looks like any other ordinary blog:
  

Should you care about the quality of your neighbours on a SAN certificate?

Should you care about the quality of your neighbours on a SAN certificate?-1-营销策划-neighbour,different,building,ordinary,another

  Now being a forward-thinking bloke, Paul has elected to serve his blog over HTTPS and as I've advocated for many times in the past , he chose to go with Cloudflare to do it. It would have been a 5-minute job for Paul; create the site on Cloudflare, update his name servers, job done. And then Paul looked at the certificate on this site.
Now I'm always pretty open and direct about these things and since we're all adults here (probably), I'm just going to give it to you as it is. Here's what Paul saw when he looked at the cert:
  

Should you care about the quality of your neighbours on a SAN certificate?

Should you care about the quality of your neighbours on a SAN certificate?-2-营销策划-neighbour,different,building,ordinary,another

  I'm going to avoid listing all the sites in that list here as frankly, I have no idea what it would do to my SEO, but if you're genuinely curious I've dropped them into a Gist . These are "Subject Alternate Names" on what we know as a SAN certificate. The value proposition of a SAN cert is that you can fit multiple different names on the one certificate which gives you some economies of scale in terms of creating, purchasing and loading them. For a service like Cloudflare that offers SSL for free, this makes sense for them as they can combine up to 50 different host names on the one cert. Problem is, you never know who you're going to end up next to. In my case, I've got reasonable company on this blog, at least compared to Paul:
  

Should you care about the quality of your neighbours on a SAN certificate?

Should you care about the quality of your neighbours on a SAN certificate?-3-营销策划-neighbour,different,building,ordinary,another

  Cloudflare kindly keeps multiple different sites under the same account together on the same cert so each of the ones I've highlighted here are all mine. There are many others that aren't, but I don't have quite the same, uh, "bedfellows" as what Paul does. (Incidentally, this can also serve as an oracle for identifying other assets potentially owned by the same Cloudflare account holder.)
Getting back to Paul, does it really matter? Yes, his neighbours are porn sites and I get that may not be a real professional look, but does it actually have any tangible impact on him? The certs are managed by Cloudflare so there should be no vector available for one of those sites to hijack your traffic, so what's the problem?
  The closest I could get to a viable answer was "perception". People might look at Paul's site (or at least his cert) and pass some sort of moral judgement due to the other alternate names on the certificate. But frankly, if you're drilling down into the cert and looking at SAN entries, you've probably got a bit of an idea about what you're doing and would know that the other names are of no real consequence. Besides, if association with other sites is the measure by which a domain name is judged, you could easily do a reverse lookup and find all sorts of other sites sharing actual hosting space (or least sharing the IP address), which is arguably a closer association then the mere presence of a name on a SAN cert.
Be that all as it may, Paul (or others with a SAN containing some undesirable neighbours), can always just buy their way out of the whole conundrum by paying Cloudflare a monthly fee:
  

Should you care about the quality of your neighbours on a SAN certificate?

Should you care about the quality of your neighbours on a SAN certificate?-4-营销策划-neighbour,different,building,ordinary,another

Paul ultimately elected to fall back to serving traffic directly from his "naked" site (no Cloudflare in front of it), but I honestly don't think this is too much of an issue either way. I just found it an interesting - if not amusing - example of how you can be inadvertently associated with sites of a very different nature to your own.
ivmhv 发表于 2016-10-20 13:03:56
我左青龙,右白虎,肩膀纹个米老鼠.
回复 支持 反对

使用道具 举报

蔡玲玉 发表于 2016-11-1 00:25:15
好贴,被吓尿了
回复 支持 反对

使用道具 举报

擎宇 发表于 2016-11-16 21:09:22
不回帖,臣妾做不到啊!
回复 支持 反对

使用道具 举报

326605926 发表于 2016-11-16 21:40:33
顶贴是一种美德!
回复 支持 反对

使用道具 举报

我要投稿

推荐阅读


回页顶回复上一篇下一篇回列表
手机版/c.CoLaBug.com ( 粤ICP备05003221号 | 粤公网安备 44010402000842号 )

© 2001-2017 Comsenz Inc.

返回顶部 返回列表