In some cases, IPs that are not part of a scorecard's digital footprint appear under the Observations column of certain issue findings. This is expected behavior and is explained below.
Affected issue types
This behavior occurs with the following SSL/TLS certificate-related findings:
- Certificate is expired
- Certificate is revoked
- Certificate is self-signed
- Certificate lifetime is longer than best practices
- Certificate signed with weak algorithm
- Certificate without revocation control
- SSL/TLS service supports weak protocol
Why this happens
When SecurityScorecard detects an issue, it records the DNS records observed at the time of measurement. In some cases, we detect SNI (Server Name Indication) against a hostname. When this happens, the associated IP, resolved through DNS at that time, also appears in the Observations column.
Because findings take a long time to decay, this data can become outdated. Even if an IP is later removed from the scorecard or is no longer attributed to the digital footprint, it continues to appear in the Observations column until the finding decays.
What you can do
If you see an IP in the Observations column that is no longer part of the digital footprint, this does not necessarily indicate an active issue with that IP. The DNS resolution may have changed since the finding was first recorded.
For example, if 192.0.2.1 was associated with a hostname at the time a certificate issue was detected, that IP appears in the Observations column even if it has since been removed from the scorecard. The DNS resolution may have changed since the finding was first recorded, so this does not necessarily indicate an active issue with that IP.