Looking at recent hacks, I had a quick look at the SSL certificate from verified.cm and who on earth is signing the certificate below? Oh yes… It is GlobalSign for sure… If we would need another argument why Certificate Authorities are broken, here it is… but then again we knew this for so long and they still exist…
So the SSL certificate for verified.cm has been issued to ssl2968.cloudflare.com. Cloudflare is of course a well-known cloud-based web firewall that is used by many good and shady sites.
This certificate has the following 40 (in words: FOURTY!) Alternative Names. Oh and don’t worry, it is also valid for 4 more years (until Jan 15, 2018). What could possible go wrong with this?
Did I mention that the domain that it was issued to doesn’t even resolve (ssl2968.cloudflare.com)?
Here are the fourty Alternative Names:
One thought on “Wow what a certificate (verified.cm) – CA’s completely broken”
For information on CloudFlare certs issued by GlobalSign, check out this page:
We just scanned port 443 on 400,000 domains that use CloudFlare’s name servers, and collected the Subject Alt Names on all the certs that came back. That gave us about 22,200 Alt Names (not counting the subdomain wildcard listings, which would double that number) on 1,818 certificates. Their Alt Names bookkeeping is a little sloppy (there is old data in many of them), but these are valid certs from GlobalSign. It’s their way of making money off of the cloud-computing fad. Whether it’s the right thing for a certificate authority to do is another question. (Incapsula also uses GlobalSign to do the same thing.)
Having said that, at least GlobalSign did the right thing when I complained to them that CloudFlare was supporting the Target heist by providing services to four sites that are marketing the stolen cerdit card data. GlobalSign pulled the certs on those four sites. CloudFlare, meanwhile, is still doing it via http, even though the https doesn’t work. For that story, see http://www.cloudflare-watch.com/target.html