We compiled this list by attempting a handshake with the Cloud Flare domains in our database.
The traffic between the original web server and Cloud Flare remains unencrypted unless the web server owner has his own certificate installed on his machine.
Almost everyone who browses a https domain reached from Cloud Flare is unaware that just half of the route is encrypted.
When they see the padlock on their screen, they feel that everything is safe. It's easy to use for a cybercriminal with numerous domains hidden behind the privacy services of various registrars.
Moreover, the subdomain wildcard option on each domain is handy for obscuring a URL in a phishing email.
This page is an excellent imitation of the Bank of America pages he remembers, and there is also that nice little SSL padlock in the corner of the address bar. Probably, because he doesn't realize that he's at a subdomain of q4and is entering his old and new password into a fake page for the benefit of a phisher.
As if the "standard" certificates aren't enough of a problem, there are also over four million "universal" certificates that present bigger problems.All of these "universal" certificates include that magical wildcard subdomain that invites so much mischief.Some critics are referring to these Cloud Flare certificates as "fraudulent" because the domain ownership validation (a necessary component of the SSL standard) is achieved only from Cloud Flare's initial access to the zone file.The "ssl2796" in the name is a Cloud Flare tracking ID in the 136,535 root domains we found that use "standard" (not "universal") Cloud Flare certificates.Every root domain also has a subdomain wildcard line (*.example.com), which we deleted to save space.on the use of SSL by Cloud Flare and similar services.