| ▲ | fragmede 9 hours ago |
| This highlights a huge problem with LetsEncrypt and CT logs. Which is that the Internet is a bad place, with bad people looking to take advantage of you. If you use LetsEncrypt for ssl certs (which you should), that hostname gets published to the world, and that server immediately gets pummeled by requests for all sorts of fresh install pages, like wp-admin or phpmyadmin, from attackers. |
|
| ▲ | krautsauer 9 hours ago | parent | next [-] |
| That may be related, but it's not what happened here. Wildcard-cert and all. |
|
| ▲ | ale42 7 hours ago | parent | prev | next [-] |
| It's not just Let's Encrypt, right? CT is a requirement for all Certificate Authorities nowadays. You can just look at the certificate of www.google.com and see that it has been published to two CT logs (Google's and Sectigo's) |
| |
| ▲ | nottorp 3 hours ago | parent | next [-] | | Now I get why they want to reduce certificate validity to 20 minutes. The logs will become so spammy then that the bad guys won't be able to scan all hosts in them any more... | |
| ▲ | tialaramex 6 hours ago | parent | prev [-] | | Technically logging certificates is not a Requirement of the trust stores, but most web browsers won't accept a certificate which isn't presented with a proof of logging, typically (but not always) baked inside the certificates. The reason for this distinction is that failing to meet a Requirement for issued certificates would mean the trust stores might remove your CA, but several CAs today do issue unlogged certificates - and if you wanted to use those on a web server you would need to go log them and staple the proofs to your certs in the server configuration. Most of the rules (the "Baseline Requirements" or BRs) are requirements and must be followed for all issued certificates, but the rule about logging deliberately doesn't work that way. The BRs do require that a CA can show us - if asked - everything about the certificates they issued, and these days for most CAs that's easiest accomplished by just providing links to the logs e.g. via crt.sh -- but that requirement could also be fulfilled by handing over a PDF or an Excel sheet or something. |
|
|
| ▲ | prmoustache 4 hours ago | parent | prev | next [-] |
| Why would you care that your hostname on a local only domain is published to the world if it is not reachable from outside? Publicly available hosts are alread published to the world anyway through DNS. LetsEncrypt doesn't make a difference at all. |
|
| ▲ | thakoppno 9 hours ago | parent | prev | next [-] |
| > the Internet is a bad place FWIW - it’s made of people |
| |
| ▲ | TZubiri 9 hours ago | parent [-] | | No, it's made by systems made by people, systems which might have grown and mutated so many times that the original purpose and ethics might be unrecognizable to the system designers. This can be decades in the case of tech like SMTP, HTTP, JS, but now it can be days in the era of Moltbots and vibecoding. |
|
|
| ▲ | Spivak 9 hours ago | parent | prev | next [-] |
| I like only getting *.domain for this reason. No expectation of hiding the domain but if they want to figure out where other things are hosted they'll have to guess. |
| |
| ▲ | ttoinou 9 hours ago | parent | next [-] | | So how do you get this ? | | | |
| ▲ | hsbauauvhabzb 9 hours ago | parent | prev [-] | | That’s really not a great fix. If those hostnames leak, they leak forever. I’d be surprised if AV solutions and/or windows aren’t logging these things. |
|
|
| ▲ | jesterson 9 hours ago | parent | prev [-] |
| > If you use LetsEncrypt for ssl certs (which you should) You meant you shouldn't right? Partially exactly for the reasons you stated later in the same sentence. |
| |
| ▲ | josh3736 9 hours ago | parent [-] | | Let's Encrypt has nothing to do with this problem (of Certificate Transparency logs leaking domain names). CA/B Forum policy requires every CA to publish every issued certificate in the CT logs. So if you want a TLS certificate that's trusted by browsers, the domain name has to be published to the world, and it doesn't matter where you got your certificate, you are going to start getting requests from automated vulnerability scanners looking to exploit poorly configured or un-updated software. Wildcards are used to work around this, since what gets published is *.example.com instead of nas.example.com, super-secret-docs.example.com, etc — but as this article shows, there are other ways that your domain name can leak. So yes, you should use Let's Encrypt, since paying for a cert from some other CA does nothing useful. | | |
| ▲ | jesterson 8 hours ago | parent [-] | | Statistically amount of parasite scanning on LE "secured" domains is way more compared to purchased certficates. And yes, this is without voluntary publishing on LE side. I am not entirely aware what LE does differently, but we had very clear observation in the past about it. |
|
|
