VPN endpoints...
a lot of TLS VPN's don't even check a certificate is correct they simply check its valid...
that combined with no DNSSEC for hosting domain means if a user connects on a compromised network they can spoof the name and certificate...