← cipherwake.io · All watchlists
Cipherwake watchlist

The Worst Cross-Rotation Key-Reuse Offenders

Every other TLS scanner only sees the current cert. Cipherwake mines Certificate Transparency logs to track the actual private key behind every cert a domain has ever issued. These are the domains where 'cert rotation' didn't actually rotate the underlying key — meaning years of harvested traffic across multiple cert renewals all decrypt with one key compromise. This is the unique finding most ASM tools miss.

# Domain Score Grade Key reuse (yrs) Freshness
1 nissan.com 3.5 B 1.6 (32 rotations) stale (12d old)
2 monday.com 5.3 C 1.6 (2 rotations) verified 42m ago
3 uchicagomedicine.org 4.9 C 1.5 (3 rotations) verified 9h ago
4 vercel.com 3.8 B 1.0 (33 rotations) verified 42m ago
5 washingtonpost.com 5.8 C 1.0 (32 rotations) stale (3d old)
6 shield.ai 4.6 C 0.5 (31 rotations) verified 32h ago
7 wsj.com 2.6 B 0.5 (32 rotations) stale (4d old)
8 reuters.com 5.0 C 0.5 (32 rotations) stale (5d old)
9 bbc.com 4.6 C 0.5 (31 rotations) stale (9d old)
10 rtx.com 5.0 C 0.5 (32 rotations) verified 5h ago
11 ico.org.uk 5.2 C 0.5 (31 rotations) verified 9h ago
12 volkswagen.com 4.8 C 0.5 (31 rotations) verified 35h ago
13 github.com 6.6 D 0.5 (33 rotations) verified 42m ago
14 stripe.com 6.6 D 0.3 (32 rotations) verified 42m ago
15 tesla.com 4.1 C 0.2 (32 rotations) verified 35h ago
16 saic.com 5.1 C 0.2 (31 rotations) stale (2d old)
17 politico.com 5.2 C 0.2 (31 rotations) stale (6d old)
18 propublica.org 4.4 C 0.2 (31 rotations) stale (5d old)

Don't want to be here?

Run the same scan we use for this ranking. See your specific findings, get the migration steps, and track the domain so you know when your score improves.

Updated nightly via Certificate Transparency log mining + active TLS probes. Public-surface measurements only — internal Blast Radius is typically 12–40× this score.
Methodology · Challenge a score · All sector leaderboards

Other watchlists