This morning when I tried to shop some products on Amazon.in I received the following SSL error:-
Your connection is not private
Attackers might be trying to steal your information from amazon.in (for example, passwords, messages, or credit cards). Learn more
So, I took a look at the certificate and found it to be for the domain
*.cy.peg.a2z.com instead of
Taking a look at the certificate chain, it seems that this certificate was issued by Amazon.
a2z.com is also owned by
Amazon Technologies, Inc.
Which is the same as the domain
So, everything looks okay here.
If I manually go to the Privacy Page of Amazon.in, it is serving the correct SSL certificates:-
With a much shorter certificate chain.
I also checked the domain on SSL Shopper to make sure that this isn’t something on my end.
If I ignore the certificate error, I am able to go to the
https://amazon.in page which now serves the correct certificate. Most likely, this is a deployment error and not a hack. I wonder how Amazon is serving multiple certificates for the same domain.
Update: The error is with the host
amazon.in. The www version of the domain is working fine. So, use
www.amazon.in to be safe.