fastly is a CDN which sometimes uses SAN to support multiple customers on a single certificate.
look at the cert for https://www.pool.ntp.org/, the Subject CN is "CN = a.ssl.fastly.net", and the "Certificate Subject Alt Name" block is full of stuff for many different customers.
"Not Critical
DNS Name: a.ssl.fastly.net
DNS Name: *.a.ssl.fastly.net
DNS Name: fast.wistia.com
DNS Name: purge.fastly.net
DNS Name: mirrors.fastly.net
DNS Name: *.parsecdn.com
DNS Name: *.fastssl.net
DNS Name: voxer.com
DNS Name: www.voxer.com
DNS Name: *.firebase.com
DNS Name: sites.yammer.com
DNS Name: sites.staging.yammer.com
DNS Name: *.skimlinks.com
DNS Name: *.skimresources.com
DNS Name: cdn.thinglink.me
DNS Name: *.fitbit.com
DNS Name: *.hosts.fastly.net
DNS Name: control.fastly.net
DNS Name: *.wikia-inc.com
DNS Name: *.perfectaudience.com
DNS Name: *.wikia.com
DNS Name: f.cloud.github.com
DNS Name: *.digitalscirocco.net
DNS Name: *.etsy.com
DNS Name: *.etsystatic.com
DNS Name: *.addthis.com
DNS Name: *.addthiscdn.com
DNS Name: fast.wistia.net
DNS Name: raw.github.com
DNS Name: www.userfox.com
DNS Name: *.assets-yammer.com
DNS Name: *.staging.assets-yammer.com
DNS Name: assets.huggies-cdn.net
DNS Name: orbit.shazamid.com
DNS Name: about.jstor.org
DNS Name: *.global.ssl.fastly.net
DNS Name: web.voxer.com
DNS Name: pypi.python.org
DNS Name: *.12wbt.com
DNS Name: www.holderdeord.no
DNS Name: secured.indn.infolinks.com
DNS Name: play.vidyard.com
DNS Name: play-staging.vidyard.com
DNS Name: secure.img.wfrcdn.com
DNS Name: secure.img.josscdn.com
DNS Name: *.gocardless.com
DNS Name: widgets.pinterest.com
DNS Name: *.7digital.com
DNS Name: *.7static.com
DNS Name: p.datadoghq.com
DNS Name: new.mulberry.com
DNS Name: www.safariflow.com
DNS Name: cdn.contentful.com
DNS Name: tools.fastly.net
DNS Name: *.huevosbuenos.com
DNS Name: *.goodeggs.com
DNS Name: *.fastly.picmonkey.com
DNS Name: *.cdn.whipplehill.net
DNS Name: *.whipplehill.net
DNS Name: cdn.media34.whipplehill.net
DNS Name: cdn.media56.whipplehill.net
DNS Name: cdn.media78.whipplehill.net
DNS Name: cdn.media910.whipplehill.net
DNS Name: *.modcloth.com
DNS Name: *.disquscdn.com
DNS Name: *.jstor.org
DNS Name: *.dreamhost.com
DNS Name: www.flinto.com
DNS Name: *.chartbeat.com
DNS Name: *.hipmunk.com
DNS Name: content.beaverbrooks.co.uk
DNS Name: secure.common.csnstores.com
DNS Name: www.joinos.com
DNS Name: staging-mobile-collector.newrelic.com
DNS Name: *.modcloth.net
DNS Name: *.foursquare.com
DNS Name: *.shazam.com
DNS Name: *.4sqi.net
DNS Name: *.metacpan.org
DNS Name: *.fastly.com
DNS Name: wikia.com
DNS Name: fastly.com
DNS Name: *.gadventures.com
DNS Name: www.gadventures.com.au
DNS Name: www.gadventures.co.uk
DNS Name: kredo.com
DNS Name: cdn-tags.brainient.com
DNS Name: my.billspringapp.com
DNS Name: rvm.io
"
It's a bit sloppy, and maybe even unprofessional to leak customer information like that. I'm guessing that fastly is a little imprecise in making sure all edge nodes have the right certificates.
$ dig www.pool.ntp.org +short
www-lb.ntppool.org.
www-lb-fastly.ntppool.org.
a.prod.fastly.net.
151.101.52.129
Also, "valid SSL" is vague, especially with additional standards like HSTS, key & cert pinning, and so on. Vanilla TLS 1.2 is pretty simple compared to where this rapidly evolving space is at today.
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Re: ntp.org with no valid SSL
Date: 2017-04-29 05:31 pm (UTC)