Very quick info about broken SSL certs you may not know (level: med)

4 min readDec 10, 2023
9x Spreading Hacking Info in the new millenium —

Isnt that a sick logo ? I dig it ! Anyways let just talk about this screen we have all seen many times:

dj substance / 9x / hacking /
Most people see this almost everyday and just click advanced / proceed.

I am guilty of it, we all are. but lets just look at what it means briefly.

First of all, if we look at the URL bar, we are hitting an IP address. Incase you arent aware of this, its going to be pretty rare that any production server, or company will have you hit an IP address. The reason is — for instance my web hosting provider Hostrocket — has ONE ip for all 100 of my websites (yes i have 100 sites). The way this works, since there is actaully probably 10k sites hosted on the one IP, is through the headers, specifically the host header.

Quick example of why an IP address is rarely going to be a valid site:
the request you see in the picture above looks something like this:

GET /index.html / HTTP/1.1
<snip rest of the headers>

So lets say you nslookup — —

host has address <- Visiting this IP is unlikely to work mail is handled by 10 mail is handled by 10
For the heck of it, I just did that, here is the curl output:
Notice this is the IP of NOT

curl -vkL ''
^ Verbose
^ Ignore bad / weird certs
^ Follow redirects

* Trying
* Connected to ( port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server accepted http/1.1
* Server certificate:
* subject:
O=Walmart Inc.;

* start date: Mar 2 18:32:20 2023 GMT
* expire date: Apr 2 18:32:19 2024 GMT
* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign ECC OV SSL CA 2018
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host:
> User-Agent: curl/7.84.0
> Accept: */*
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 400 Bad Request
< Server: AkamaiGHost
< Mime-Version: 1.0
< Content-Type: text/html
< Content-Length: 209
< Expires: Sun, 10 Dec 2023 18:34:26 GMT
< Date: Sun, 10 Dec 2023 18:34:26 GMT
< Connection: close
<H1>Invalid URL</H1>
The requested URL "&#91;no&#32;URL&#93;", is invalid.<p>
* Closing connection 0

So that didnt work, and the fact it allowed HTTP/1.0 is kind of concerning.

I got curious just now and checked the same thing with, interestingly enuf check this out:

DNS lookups repeatedly .. on different DNS servers produced different IPs:

host is an alias for is an alias for has address

( I ran this command 5 times to see if the IP changed and it did not, so, I
tried using a different DNS server the 6th time for the same host)

host <- Forcing use of different DNS server is an alias for is an alias for has address <- Different IP

host is an alias for is an alias for has address

So we just got 3 different IPs for

Checking the rDNS domain name pointer domain name pointer domain name pointer

This is getting beyond the scope of what I was getting at, so lets tie it together. Hitting (one of ip)

Not suprising at all, because like I said this IP probably hosts lots of pages


Now it expands down with info:

Always click the error and find out why

So now we can see that the certificate is for in specific (not, and we can tell when it expires. The error was thrown because the ip doesnt match the hostname.

If you check out there are a bunch of tools to reverse lookup IPs to hostnames, and also

I know this wasnt amazing info but hey, it interesting ;p





twenty years professionally as a Network Engineer, more recently I have focused on red teaming mostly, but I am always up for learning and exchanging info