Every other TLS scanner only sees the current cert. Cipherwake mines Certificate Transparency logs to track the actual private key behind every cert a domain has ever issued. These are the domains where 'cert rotation' didn't actually rotate the underlying key — meaning years of harvested traffic across multiple cert renewals all decrypt with one key compromise. This is the unique finding most ASM tools miss.
| # | Domain | Score | Grade | Key reuse (yrs) | Freshness |
|---|---|---|---|---|---|
| 1 | mailchimp.com | 4.8 | C | 0.5 (31 rotations) | stale (6d old) |
| 2 | hyundai.com | 6.0 | D | 0.5 (31 rotations) | verified 35h ago |
| 3 | credit-suisse.com | 4.6 | C | 0.5 (31 rotations) | verified 35h ago |
| 4 | chase.com | 5.2 | C | 0.5 (32 rotations) | verified 7h ago |
| 5 | rbs.co.uk | 4.6 | C | 0.5 (31 rotations) | verified 35h ago |
| 6 | apnews.com | 6.0 | D | 0.5 (31 rotations) | verified 35h ago |
| 7 | rivian.com | 6.0 | D | 0.5 (31 rotations) | verified 35h ago |
| 8 | jetblue.com | 5.5 | C | 0.2 (31 rotations) | stale (6d old) |
| 9 | frontier.com | 5.2 | C | 0.2 (31 rotations) | stale (6d old) |
| 10 | politico.com | 6.2 | D | 0.2 (31 rotations) | verified 35h ago |
Run the same scan we use for this ranking. See your specific findings, get the migration steps, and track the domain so you know when your score improves.