Does using certificalte for a wrong domain affect connection security?


#1

Let’s say I have an SSL certificate that is installed on the server for domain example.com. The server is set up to use the same certificate for subdomain sub.example.com, however the certificate doesn’t cover any subdomains as it has been purchased only for example.com. Now obviously, when I go to sub.example.com, the browser will first complain about wrong certificate but will allow me to “continue anyway”. When I choose to continue anyway and access sub.example.com via SSL this way is my connection still secure? If it is less secure than when having a valid certificate then how less secure is it, what aspects of security are compromised?

One of the use cases is for admin panels, etc. which are used only by a couple of developers so it’s not really a problem if each of them adds a security exception to their browser - but is the transmission still secure?


#2

Why bother when SSL certs are so cheap (or even free if you use Let’s Encrypt) nowadays?

Anyway, yes the connection will still be encrypted, but the browser won’t show the green lock. Obviously.


#3

There are situations where another cert is not an option. But this is irrelevant to this topic.

The main question is will the security be compromised in any way if there is no green lock or will it be equivalent?


#4

Yes, it will be equivalent


#5

Mostly. You get encryption but not the guarantee that you are viewing the correct website. Someone could override your networks DNS server and point sub.example.org to any server and the user would never know.

Really you should get a wildcard certificate.


#6

Good point, thanks!


#7

As you mentioned above, you already issued certificate for a single domain (example.com) and installed on your server. So, it can secure only your main website and its root domains (web pages).

For example –

* example.com
* example.com/any-web-pages

To secure your subdomains, you need to have wildcard certificate and the certificate will be issued for *.example.com. It will secure your example.com and it’s all subdomains.

For example –

* example.com
* sub1.example.com
* sub2.example.com
* sub999.example.com

Go with “continue anyway” is not right option to ignore error. Because it’s just browser settings and only you are able to access your website in particular browser. But what about end-users? they will get warning message while browsing your site.

Actually, your subdomains are not fully secured, so hackers can interrupt your communications across subdomains.

I agreed with @TomB that you should have wildcard certificate to fulfill your requirements. Here at good article to learn more about wildcard certificate - https://www.digifloor.com/cheap-wildcard-ssl-certificate-provider-02


#8

Let’s Encrypt offer wildcard SSL certificates for free