If you look at the (invalid) certificate for https://i.imgur.com/ it says only valid for the following names:
The certificate is only valid for the following names and then a list of about 100 names.
Isn't it a danger to have one certificate for multiple domains?
It seems that this certificate works for so many domains because it's part of a CDN. CDNs, or Content Delivery Networks, deliver files which are always the same (or 'static'). The site's logo, some style rules for the website, those things. The page itself may change, for example based on whether you are logged in, but often images (and such) don't change.
Such CDN is used because the closer a server is, the faster the page will load. However, not everybody has the resources to install dozens of servers around the world, so companies like Cloudflare and Akamai offer their CDN space (and a big network which can handle lots of traffic), just like hosting is being sold.
In order to provide all data securely (and avoid mixed-content errors), the certificate used by the CDN's server must be valid for all domains that it hosts files for. It is a risk to be able to spoof that many domains by stealing a single private key (and you only need access to one of the hundreds of servers), but it seems to outweigh the benefits. It seems it are mostly subdomains too (or perhaps only subdomains, I haven't checked).
The certificate belongs to EdgeCast, a CDN.
Their job is to serve content on behalf of other companies. The servers that do this typically handle results for hundreds or thousands of different domains, and they have thousands of servers for this purposes scattered all over the world. There are simply too many domains hosted on these servers to give each its own IP, so if they want to serve CDN files over SSL, they have to share a single SSL certificate.
The marginal benefit of serving CDN-hosted files over SSL is minimal, but it's particularly important if you intend to include those files in an SSL-delivered page. Remember that if your page is SSL, then all of the images, scripts, and other resources must also be delivered over SSL, no matter what domain they come from.
Note that none of the SSL domains are the "primary" domain for the site. Instead they're names like images.goldstar.com and content.truste.com. The companies aren't sharing their own private SSL certificate with all their neighbors; this certificate will not work on goldstar.com or truste.com. Instead they're turning over control of a single-purpose subdomain to edgecast and allowing edgecast to include all these edgecast-specific subdomains into a single certificate specifically for this purpose.
NOTE
Whom are you trusting with the key to your site? Edgecast, of course. Yes, other companies are also on the same certificate, but the private key is not controlled by you or by any of them; it's controlled by EdgeCast. You're trusting EdgeCast's infrastructure to not allow any other company's content to be visible on your domain. This is the same degree of trust you always are implictly granting to any company you allow to serve content on your behalf. The certificate doesn't really change that relationship.
Having one certificate for multiple domains creates a single point of failure. However, if an attacker where to obtain the private key then you probably have bigger problems on your hands.
They are called UCC/SAN certs. When you want to secure more than one domain, you buy a UCC cert. It is very cost effective compared to purchasing a regular SSL cert. A lot of cert providers use 2048 bit for generating the keys so I don't believe there is any compromise in terms of security.
Here is the link to Wikipedia which compares different certs. http://en.wikipedia.org/wiki/Comparison_of_SSL_certificates_for_web_servers
Hope that helps...
Some companies use certs with SAN names because it makes certificate renewal and management easier. Deploying 1 certificate to 100 websites is easier than deploying 100 certs to 100 websites.
Is it less secure? Yes, it is less secure only in the technical sense. Many times business needs of ease of management preempt conventional security thinking. They may be short staffed and only have enough time to do the bare minimum of security. The counter argument is that they may not do SSL at all if it's too hard (I've seen it happen)
Maybe they don't need the security and are using SSL for the vanity (or assumed security) of a given website. I would be OK downloading images using a certificate with a bloated SAN namespace like that, however I wouldn't want to use any bank or government site listed in such a certificate.
