This morning, as Senator Ted Cruz launched his bid to become president of the United States, some people who visited his site thought he might also want to become a Nigerian prince. At least, that's what his site's certificate said.
It turns out that Cruz' campaign had registered to use CloudFlare as the content delivery network for its WordPress-basedtedcruz.org site, anticipating a flood of traffic from would be supporters. But because the Cruz campaign hadn't yet uploaded a certificate to identify the site for secure visits, CloudFlare's systems automatically assigned the site one of its own certificates, CloudFlare CEO Matthew Prince told Ars. "The Cruz campaign didn't do anything wrong," he said. "It was an automated process on CloudFlare's part." The certificate that the Cruz campaign's site got assigned to was also assigned to nigerian-prince.com.
CloudFlare assigns multiple sites to each of its own pool of SSL certificates, Prince said, "to limit consumption of IP addresses. By default we put more than one site on a certificate—if you don't upload your own certificate, then you share one." As soon as it was noticed that the Cruz campaign site shared a certificate with nigerian-prince.com—a site that displays only a joke about Nigerian "419" scams—CloudFlare and the Cruz campaign uploaded a new, private certificate, though tedcruz.org still appears on the certificate for nigerian-prince.com.
The certificate, however, is probably the least of the Cruz campaign's Internet problems. The domaintedcruz.com is currently hosting a site that urges people to support President Obama and immigration reform. And while the tedcruz.org site is intended to take donation information, it doesn't use SSL by default—so donors' credit card data could potentially be exposed.