1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Warning] CPanel & Let's encrypt combination may leak your main domain

Discussion in 'Black Hat SEO' started by littlewebdragon, Apr 21, 2017.

  1. littlewebdragon

    littlewebdragon Jr. VIP Jr. VIP

    Joined:
    Dec 30, 2007
    Messages:
    1,707
    Likes Received:
    1,040
    Occupation:
    Occupation
    Location:
    Location
    This is a fair warning to everyone. I've done some test recently on my own websites and found out that based on the CPanel Addon domain you can now find out what is main domain hosted with that hosting account.

    This is very important & crucial information especially for all of the guys hosting PBN domains with https (now) on same hosting account.

    This is example of what I've got when I've added addondomain.com to one of my CPanel hosting accounts and then I've decided to put on https on both of them.

    I've added https on maindomain.com and that was good. All well. :)

    And today I've added addondomain.com on that very same hosting account, installed SSL, got all the green lights everything is funky now and I just wanted to check up on it with ssllabs.com and I was speechless.

    [​IMG]

    Personally I've always disliked that fact that main domain and addon domains are connected like:
    addondomain1.maindomain.com
    addondomain2.maindomain.com
    addondomain3.maindomain.com

    And now... I'm speechless. Just wanted to share this and give a heads up to all of you guys about this.

    This can not interlink all your domains. Just your 1 addon domain with Let's Encrypt to a main domain and not vice versa. But still... Leak is a leak.
     
    • Thanks Thanks x 2
  2. elavmunretea

    elavmunretea Elite Member

    Joined:
    May 14, 2016
    Messages:
    1,580
    Likes Received:
    2,124
    Home Page:
  3. littlewebdragon

    littlewebdragon Jr. VIP Jr. VIP

    Joined:
    Dec 30, 2007
    Messages:
    1,707
    Likes Received:
    1,040
    Occupation:
    Occupation
    Location:
    Location
    Nope that is not the same thing. That can reach out to anything that is hosted on that IP that is public information somewhat like you can do with bgp.he.net and similar. This what I've mentioned matches EXACT hosting account that is involved with that account, that means owner is 100% the same person. With reverse IP lookup you can get 200 sites by 200 different owners.

    In this case that I've mentioned it is 100% sure that guy who owns addondomain.com owns maindomain.com for sure as it is same CPanel hosting account.
     
  4. wowregister

    wowregister Junior Member

    Joined:
    Jan 15, 2010
    Messages:
    142
    Likes Received:
    17
    Location:
    Canada/US
    Thanks for the eyeopener!
     
  5. littlewebdragon

    littlewebdragon Jr. VIP Jr. VIP

    Joined:
    Dec 30, 2007
    Messages:
    1,707
    Likes Received:
    1,040
    Occupation:
    Occupation
    Location:
    Location
    You are welcome. I sometimes even to be safe from these types of leaks love using dummy domains for my main CPanel domain :D