Looking at recent hacks, I had a quick look at the SSL certificate from verified.cm and who on earth is signing the certificate below? Oh yes… It is GlobalSign for sure… If we would need another argument why Certificate Authorities are broken, here it is… but then again we knew this for so long and they still exist…
So the SSL certificate for verified.cm has been issued to ssl2968.cloudflare.com. Cloudflare is of course a well-known cloud-based web firewall that is used by many good and shady sites.
This certificate has the following 40 (in words: FOURTY!) Alternative Names. Oh and don’t worry, it is also valid for 4 more years (until Jan 15, 2018). What could possible go wrong with this?
Did I mention that the domain that it was issued to doesn’t even resolve (ssl2968.cloudflare.com)?
Here are the fourty Alternative Names: