CenturyLink's hamfisted security ignoring domain aliases in SSL cert Alternate Names

Operating System & Version
CloudLinux 6.10
cPanel & WHM Version
94.0.5

Kenric Ashe

Member
May 6, 2016
12
1
53
Portland, OR
cPanel Access Level
Reseller Owner
Gather around all for the tragic story of quadruplespace.com and its shorter alias, quadspace.tv!

A client informed me that CenturyLink is giving him a warning that my site "appears to be risky":
CenturyLink hamfisted warning 2021-04-26 at 12.08.51 PM.png
When you click "Continue anyway" and if you're using Safari on a Mac, then you get this second even more idiotic warning from Safari, freaking out our potential customers by suggesting we may be trying to "steal your personal or financial information":

CenturyLink steal your personal or financial information WTF 2021-04-25 at 12.40.18 PM.png

Apparently the content of CenturyLink's warning is loaded from mcafee.com, and thus Safari is confused because the SSL cert for *.dock.shp.mcafee.com "does not match input" which is our quadspace.tv. Well duh! Of course that's not going to match! Way to go McAfee!

CenturyLink McAfee SSL Cert 2021-04-26 at 1.38.39 PM.png

CenturyLink has no problem with quadruplespace.com, only the alias quadspace.tv.

So my guess is that they are ignoring the Alternate Names section of my cPanel SSL cert which has the single Common Name of www.quadruplespace.com.

I assume the solution is to delete the alias and recreate quadspace.tv as its own separate account.

Unless anyone has an easier solution, my main purpose with this post is to share what I discovered, because amazingly I found no prior report of this and surely this must be of interest to anyone else with domain aliases? CenturyLink users are a fairly large demographic so this should be on everyone's radar, right?
 
Last edited by a moderator:

Kenric Ashe

Member
May 6, 2016
12
1
53
Portland, OR
cPanel Access Level
Reseller Owner
Haha it is almost never worth reaching out to a major telecom. :) Nevertheless, I did have a chat with them. They said they were not able to replicate the issue and to have my client contact them. He did, and here are the last three lines of the transcript to demonstrate how that went:

Gail F (4/27/2021, 11:13:31 AM): your line with us is safe you have mcAfee security but the website you created not sure how to handle that, did you check it with your business associate who made that?
[My Client] (4/27/2021, 11:14:02 AM): It's legit, so why am I getting this message?
Gail F (4/27/2021, 11:15:26 AM): that's also i'm wondering because what we handle is your line status, so far no issue but automatically your security will do it's job if there is any problem.

Not only did Gail have terrible grammar, but more importantly had zero comprehension of what her own company's anti-phishing tech is doing.

So, I am forced to delete the quadspace.tv alias and recreate as its own separate account?

And it would seem that every cPanel user needs to know about this? You know how end users are. They see a warning like that and they simply don't visit the site and they do not report it. And surely this isn't affecting just my site, but any cPanel user with one or more aliases and end users who are CenturyLink customers, which is a lot!
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
5,447
697
313
cPanel Access Level
Root Administrator
Well, I guess I'm more interested in "where" the CenturyLink stuff is being implemented. It's definitely not server-side, so if it's something in the user's browser, there isn't much we can do about that except posts like this to raise awareness.
 

Kenric Ashe

Member
May 6, 2016
12
1
53
Portland, OR
cPanel Access Level
Reseller Owner
Since the content of CenturyLink's warning is loaded from mcafee.com, that seems like it's being injected via their router or network.

That I am the only who's reported this so far doesn't mean it's not a widespread problem that simply isn't being reported by end users. In my opinion this is huge enough that, unless someone high up the chain of command within CenturyLink can be contacted directly to change their hamfisted anti-phishing tech, aliases are effectively now obsolete! There should be a thorough investigation and if what I'm saying is confirmed, an announcement about it to all cPanel users.

Meanwhile, any other solution for me other than deleting the alias and recreating as its own separate account?
 

Kenric Ashe

Member
May 6, 2016
12
1
53
Portland, OR
cPanel Access Level
Reseller Owner
Update!

CenturyLink's documentation was misleading. It's not in the modem itself. It is merely McAfee software that is bundled with CenturyLink accounts.

And I found what I hope will be the solution here:

Net Guard blocks access to specific websites if ratings are not trustworthy

Somehow quadspace.tv got marked in McAfee's database as a "Malicious Site".

I have submitted the request for reclassification. Fingers crossed!

Still the question remains whether quadspace.tv being an alias and thus only an Alternate domain in the SSL cert might be what triggered the false classification as malicious. I am waiting for a reply from [email protected] about that. Will update here again if they reply!
 
Last edited: