Re: imperva.com fake certificate?
imperva[.]com is one of those companies offering protection against DOS attacks. Your traffic goes to them to be checked for 'legitimacy' and then goes to the destination. They have powerful machines receiving the traffic of all their clients and only the traffic deemed benign passes through. This explains why so many domains under one certificate. They probably have many certificates with many more domains in them, it's not so obvious who their clients are based on one certificate.
The good thing about certificates is that they are not magical and they don't appear and disappear without leaving a trace.
This trace would be visible in some Certificate Transparency logs. Google, Cloudflare, Facebook, and many other certificate issuers monitor the issuing of certificates so it's damn hard to just issue a certificate linked all the way up to a root CA for a domain you don't own without getting noticed.
For example, the 123-flowers[.]co[.]uk domain mentioned in the globalsign/imperva certificate, a bit down on the cert details page you can see in the "Embedded SCTs" section that this cert in particular was included in 3 transparency logs - Google “Xenon2021”, Cloudflare “Nimbus2021” and Sectigo (Comodo) “Sabre” CT.
I searched a few of these logs and no certificate was ever issued by globalsign to the sse[.]com[.]cn domain or any of subdomains...
It was probably a small mistake in your research that yielded those suspicious results.
Another good thing about certificates and certificate transparency logs is that you get to know a lot of subdomains - even the ones not for general public - for research and academic purposes ofc.
Regarding trace routing changing routes - that's just dynamic routing and traffic shaping working. Two tracert from the same place can have different routes and nothing guarantees you that your web traffic will have the same route as these two, also because you're using different protocols.
Biting the hand that feeds IT
