> After publishing this piece, multiple BleepingComputer readers have pointed out an anomaly with the TLS certificate issued for the 'search.app' domain.
> To add confusion, search.app's certificate has the Common Name (CN) set to fallacni.com, a French language website that claims to help you "find your national identity card."
> BleepingComputer further noticed that the same SSL certificate is in use by more than a hundred domains, shown below, which are hosted on the same Firebase server (IP address 199.36.158.100)
Is this typical for how Firebase (and similar offerings) work? Is there any risk of one site on a shared Firebase server being able to MITM users that are collocated on the same IP and using the same certificate, or is having a separate domain enough to mitigate this? I'd never considered the idea of entirely unrelated (and separately owned) domains sharing an identical TLS certificate before, and I'm not enough a crypto/security person to be able to immediately think through the ramifications of this.
All of the domains are pointing to the same hosted services run by Firebase, meaning only Firebase themselves has the private key, so the customers whose domains use the certificate shouldn’t be able to MITM anything.
Cloudflare used to do (or maybe still does?) this with their free certificates as well.
> After publishing this piece, multiple BleepingComputer readers have pointed out an anomaly with the TLS certificate issued for the 'search.app' domain.
> To add confusion, search.app's certificate has the Common Name (CN) set to fallacni.com, a French language website that claims to help you "find your national identity card."
> BleepingComputer further noticed that the same SSL certificate is in use by more than a hundred domains, shown below, which are hosted on the same Firebase server (IP address 199.36.158.100)
Is this typical for how Firebase (and similar offerings) work? Is there any risk of one site on a shared Firebase server being able to MITM users that are collocated on the same IP and using the same certificate, or is having a separate domain enough to mitigate this? I'd never considered the idea of entirely unrelated (and separately owned) domains sharing an identical TLS certificate before, and I'm not enough a crypto/security person to be able to immediately think through the ramifications of this.