
Bad SSL certificate found on cnn.com - svenfaw
https://www.reddit.com/r/programming/comments/5310bh/heres_how_broken_todays_web_will_feel_in_chromes/d7qfpw7
======
svenfaw
The CNN issue looks like some type of CDN screwup, but the real bad thing is
that this single cert covers all of the below domains:

    
    
        a.ssl.fastly.net
        *.a.ssl.fastly.net
        fast.wistia.com
        purge.fastly.net
        mirrors.fastly.net
        *.parsecdn.com
        *.fastssl.net
        voxer.com
        www.voxer.com
        *.firebase.com
        sites.yammer.com
        sites.staging.yammer.com
        *.skimlinks.com
        *.skimresources.com
        cdn.thinglink.me
        *.fitbit.com
        *.hosts.fastly.net
        control.fastly.net
        *.wikia-inc.com
        *.perfectaudience.com
        *.wikia.com
        f.cloud.github.com
        *.digitalscirocco.net
        *.etsy.com
        *.etsystatic.com
        *.addthis.com
        *.addthiscdn.com
        fast.wistia.net
        raw.github.com
        www.userfox.com
        *.assets-yammer.com
        *.staging.assets-yammer.com
        assets.huggies-cdn.net
        orbit.shazamid.com
        about.jstor.org
        *.global.ssl.fastly.net
        web.voxer.com
        pypi.python.org
        *.12wbt.com
        www.holderdeord.no
        secured.indn.infolinks.com
        play.vidyard.com
        play-staging.vidyard.com
        secure.img.wfrcdn.com
        secure.img.josscdn.com
        *.gocardless.com
        widgets.pinterest.com
        *.7digital.com
        *.7static.com
        p.datadoghq.com
        new.mulberry.com
        www.safariflow.com
        cdn.contentful.com
        tools.fastly.net
        *.huevosbuenos.com
        *.goodeggs.com
        *.fastly.picmonkey.com
        *.cdn.whipplehill.net
        *.whipplehill.net
        cdn.media34.whipplehill.net
        cdn.media56.whipplehill.net
        cdn.media78.whipplehill.net
        cdn.media910.whipplehill.net
        *.modcloth.com
        *.disquscdn.com
        *.jstor.org
        *.dreamhost.com
        www.flinto.com
        *.chartbeat.com
        *.hipmunk.com
        content.beaverbrooks.co.uk
        secure.common.csnstores.com
        www.joinos.com
        staging-mobile-collector.newrelic.com
        *.modcloth.net
        *.foursquare.com
        *.shazam.com
        *.4sqi.net
        *.metacpan.org
        *.fastly.com
        wikia.com
        fastly.com
        *.gadventures.com
        www.gadventures.com.au
        www.gadventures.co.uk
        kredo.com
        cdn-tags.brainient.com
        my.billspringapp.com
        rvm.io
    

WTF, Digicert?

Full details can be viewed at:
[https://www.censys.io/certificates/ca5c57bee6ab21c055dcdbe8a...](https://www.censys.io/certificates/ca5c57bee6ab21c055dcdbe8ad25feef6d1764a92e2aaaadb5d55fb667c3f8ac)

~~~
detaro
CDNs sharing certs between many clients is not unusual, is there anything
particularly bad about this practice?

It increases the risk if one certificate is broken, but if it is stolen an
attacker likely could have stolen a set of individual certificates as well.

