So, a user has a SSL error, and there appears a certificate that has nothing to do with the site he's supposed to be accessing. It's marked as invalid (nevermind) and is from a CA I have never heard of, called Valicert.
It seems to be a valid CA, its certificates mostly validate, etc, but something is fishy (besides the fact that there is a freaking Valicert certificate where there should not be one and I have no idea why).
It seems Valicert is or was owned by GoDaddy, which should already be a problem, but it gets worse. The URL for the CA? valicert.com which is not configured as a site. Then I try www.valicert.com which does exist but is not about a CA but about AxWay, a "Business Interaction Networks company".
It contains nuggets like "What can our cloud-based community management solution do for your bottom line?" and "Is your file transfer system visibility-impaired?" and "Our award-winning products, solutions and services enable the business-critical transactions required to accelerate performance within and among enterprises – while providing management, security and governance on interactions throughout business networks."
And then I had the (bad) idea to try https://www.valicert.com ... a picture should be enough:
These bozos, this company that dares offer file transfer whatnots and has "award winning products"... has a self-signed certificate, that expired in 2010, for localhost freaking localdomain in their public webserver.
So, I am guessing Valicert doesn't exist anymore, godaddy kept the CA alive until all certs expire and for some reason AxWay is a bunch of incompetents who bought the domain (but why???) and really, trusting CAs is getting harder each day.