When is an SSL certificate 'valid' - altnames

Question

I've been using an online SSL checker to check certificate validity for several sites.

One thing I noticed is that many websites have wildcard certificates - especially those hosted on common web hosting sites, such as goDaddy: *.onlinestore.godaddy.com

But those sites have custom domains and so when validating the SSL cert I can see an error where the hostname does not match the altnames listed in the certificate.

But all major browsers (tested chrome, FF, IE and Safari) still show the site as secure. Do the browsers not care that the domain names are not listed in the cert, and isn't that a security vulnerability?

Example: https://www.sslshopper.com/ssl-checker.html#hostname=www.cinnamonmotif.com

Answer 1

In case a wildcard certificate is installed on a domain, the browser only check the certificate validity and wildcard rule. As long as this rule is true the certificate id trusted and no warning appears.

Answer 2

If you look at the certificate that the browser resolved you'll see that it's different than sslshopper.com resolved.

When you go in a modern browser the client sends the TLS Server Name Indication extension, and the site notices that it's supposed to serve up the cinnamonmotif.com certificate.

SslShopper saw *.onlinestore.godaddy.com, which is certificate 0x6068c7475ab4ee2a from Go Daddy Secure Certificate Authority - G2.

With SNI the served up certificate is cinnamonmotif.com, certificate 0x3e0240d9425e8120 from Go Daddy Secure Certificate Authority - G2.

The fact that the browser saw a different certificate, which is a hostname match, is why the browser says it's a legitimate connection.