We just scanned port 443 on 400,000 domains that use CloudFlare’s name servers, and collected the Subject Alt Names on all the certs that came back. That gave us about 22,200 Alt Names (not counting the subdomain wildcard listings, which would double that number) on 1,818 certificates. Their Alt Names bookkeeping is a little sloppy (there is old data in many of them), but these are valid certs from GlobalSign. It’s their way of making money off of the cloud-computing fad. Whether it’s the right thing for a certificate authority to do is another question. (Incapsula also uses GlobalSign to do the same thing.)

Having said that, at least GlobalSign did the right thing when I complained to them that CloudFlare was supporting the Target heist by providing services to four sites that are marketing the stolen cerdit card data. GlobalSign pulled the certs on those four sites. CloudFlare, meanwhile, is still doing it via http, even though the https doesn’t work. For that story, see http://www.cloudflare-watch.com/target.html