When I visit https://1.1.1.1, any web browser I use considers the URL to be secure.
This is what Google Chrome shows:
Normally, when I try to visit an HTTPS site via its IP address, I get a security warning like this:
From my understanding, the site certificate needs to match the domain, but the Google Chrome Certificate Viewer does not show 1.1.1.1
:
GoDaddy's knowledgebase article "Can I request a certificate for an intranet name or IP address?" says:
No - we no longer accept certificate requests for either intranet names or IP addresses. This is an industry-wide standard, not one specific to GoDaddy.
(emphasis mine)
And also:
As a result, effective October 1, 2016, Certification Authorities (CAs) must revoke SSL certificates that use intranet names or IP addresses.
(emphasis mine)
And:
Instead of securing IP addresses and intranet names, you should reconfigure servers to use Fully Qualified Domain Names (FQDNs), such as www.coolexample.com.
(emphasis mine)
It's well after the mandatory revocation date 01 October 2016, yet the certificate for 1.1.1.1
was issued on 29 March 2018 (shown in the screenshot above).
How is it possible that all the major browsers think that https://1.1.1.1 is a trusted HTTPS website?
192.168.0.2
doesn't exist outside of your intranet. If you created your own self-signed certificate192.168.0.2
would be trusted, and you could use the same approach for the SAN, on a domain likefake.domain
. Worth pointing out that1.1.1.1
isn't a reserved IP address, so it appears, any CA would have issued the certificate.