hello - maybe a simple question but i thought best practice was to check the certificate to a site that is new to you . . . sometimes when i do this, it is registered to Cloudflare and not the domain itself so how do i proceed in this case? trust that Cloudflare has verified the site as legitimate? thanks.
The trustworthiness of a website has nothing to do with who owns the SSL certificate.
The SSL certificate simply lets you know that there’s an SSL connection between you and the host.
Websites don’t need to purchase their own SSL certificates (expensive), especially when you could use Let’s Encrypt which gives you free SSL certificates to use HTTPS on your website, or in this case, Cloudflare gives you free SSL certificates too.
thanks for replying . . . i’m a little confused by your statement . . . i thought the 2 were linked? meaning, i cannot get a certificate for ‘my_domain_dot_com’ if i cannot prove it, right?
anyway, the larger question i’m after is that in the crypto world, it is popular to trick people so i always try to line things up . . . here is a wallet on a popular layer1 protocol called Avalanche . . .in this case, all lines up (which i guess you are saying doesn’t give me assurance?) but in some cases, Cloudflare will step in and when i check the cert, it will be registered to Cloudflare. hope this makes sense -
Your browser does the test to see that the certificate is fine, and that’s what you should trust (unless you did something like import bad actors’ Root CAs into your OS’ truststore, or, the browser warned you about a cert and you did ‘continue anyway’).
You’re probably confused because you expect that the hostname of the site to be in the CN (Common Name) field of the certificate. While this has been 100% true ages ago, it is not true today. I’ll explain.
A certificate may have multiple subjects (yes, in one certificate). So, for example, you could have a single cert be presented by google.com, www.google.com, www.google.us, www.google, etc. But how? There’s only one Common Name in a cert! Enter SAN (Subject Alternative Name) certificates: A certificate that contains one or more SANs which may overlap with the CN (and may not, as well;)
With a SAN certificate, you can have a certificate issued to CN X, and have additional 50 other hostnames embedded… elsewhere in the cert, where you can’t see them on plain sight. However, if you dive into the certificate details, you’ll find the Subject Alternative Name, and your domain - in it. If it wasn’t there, your browser would have complained that the site you’ve connected to does not have the hostname that you typed in your URL bar.
Now, why Cloudflare does this? Good question. I am not an employee, so I could only guess. Those certs are free. Cloudflare also have a paid certificates service ($5/mo.) - in which they don’t do that, and issue a cert with a CN that matches the hostname. This can become more expensive than regular cheap CA-issued cert, and definitely more expensive than the alternatives that exist today with the ACME protocol - i.e. Let’s Encrypt and Google’s PKI. Which you could have used, if Cloudflare permitted to bring your own cert in the cheap plans - but they don’t In summary, it’s not less secure, but probably a way to give a service for free from one hand, and have people who care about visibility (that has no meaningful security implications, just like Extended Validation certs from the past) - and agree to pay a premium - have what they want.
Just to get really nerdy:
There can be one or less commonName extensions in a certificate. Common Name is deprecated. While the Common Name must be valid, modern browsers only validate the subjectAltName extension. CAs still include commonName for legacy support, but most modern browsers don’t care.
There is no technical limit to the number of dnsNames that can be covered by one certificate, but most CAs have limits. Cloudflare ACM has a 50 host limit, but LE allows 100, and you can get certs with 1,000 names or more from commercial CAs. Anything that big will eventually suffer from performance issues, and browsers will not validate certs with silly numbers of hostnames.