← cipherwake.io · All watchlists
Cipherwake watchlist

The Worst Cross-Rotation Key-Reuse Offenders

Every other TLS scanner only sees the current cert. Cipherwake mines Certificate Transparency logs to track the actual private key behind every cert a domain has ever issued. These are the domains where 'cert rotation' didn't actually rotate the underlying key — meaning years of harvested traffic across multiple cert renewals all decrypt with one key compromise. This is the unique finding most ASM tools miss.

# Domain Score Grade Key reuse (yrs) Freshness
1 nissan.com 3.5 B 1.6 (32 rotations) stale (12d old)
2 monday.com 5.3 C 1.6 (2 rotations) verified 2h ago
3 uchicagomedicine.org 4.9 C 1.5 (3 rotations) verified 8h ago
4 washingtonpost.com 5.8 C 1.0 (32 rotations) stale (2d old)
5 shield.ai 4.6 C 0.5 (31 rotations) verified 31h ago
6 wsj.com 2.6 B 0.5 (32 rotations) stale (4d old)
7 reuters.com 5.0 C 0.5 (32 rotations) stale (5d old)
8 bbc.com 4.6 C 0.5 (31 rotations) stale (9d old)
9 rtx.com 5.0 C 0.5 (32 rotations) verified 4h ago
10 ico.org.uk 5.2 C 0.5 (31 rotations) verified 8h ago
11 volkswagen.com 4.8 C 0.5 (31 rotations) verified 34h ago
12 tesla.com 4.1 C 0.2 (32 rotations) verified 34h ago
13 saic.com 5.1 C 0.2 (31 rotations) stale (2d old)
14 politico.com 5.2 C 0.2 (31 rotations) stale (6d old)
15 propublica.org 4.4 C 0.2 (31 rotations) stale (4d old)

Don't want to be here?

Run the same scan we use for this ranking. See your specific findings, get the migration steps, and track the domain so you know when your score improves.

Updated nightly via Certificate Transparency log mining + active TLS probes. Public-surface measurements only — internal Blast Radius is typically 12–40× this score.
Methodology · Challenge a score · All sector leaderboards

Other watchlists