This morning when I tried to shop some products on Amazon.in I received the following SSL error:-
Your connection is not private
Attackers might be trying to steal your information from amazon.in (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID
So, I took a look at the certificate and found it to be for the domain *.cy.peg.a2z.com instead of amazon.in.
Taking a look at the certificate chain, it seems that this certificate was issued by Amazon.
The domain a2z.com is also owned by Amazon Technologies, Inc.
Which is the same as the domain Amazon.in
So, everything looks okay here.
If I manually go to the Privacy Page of Amazon.in, it is serving the correct SSL certificates:-
With a much shorter certificate chain.
I also checked the domain on SSL Shopper to make sure that this isn’t something on my end.
If I ignore the certificate error, I am able to go to the https://amazon.in page which now serves the correct certificate. Most likely, this is a deployment error and not a hack. I wonder how Amazon is serving multiple certificates for the same domain.
Update: The error is with the host amazon.in. The www version of the domain is working fine. So, use www.amazon.in to be safe.