>Hope you didn't name it anything sensitive, like "mycorp-and-othercorp-planned-merger-storage", or something.

So, no one competent is going to do this, domains are not encrypted by HTTPS, any sensitive info is pushed to the URL Path.

I think being controlling of domain names is a sign of a good sysadmin, it's also a bit schizophrenic, but you gotta be a little schizophrenic to be the type of sysadmin that never gets hacked.

That said, domains not leaking is one of those "clean sheet" features that you go for no reason at all, and it feels nice, but if you don't get it, it's not consequential at all. It's like driving at exactly 50mph, like having a green streak on github. You are never going to rely on that secrecy if only because some ISP might see that, but it's 100% achievable that no one will start pinging your internal host and start polluting your hosts (if you do domain name filtering).

So what I'm saying is, I appreciate this type of effort, but it's a bit dramatic. Definitely uninstall whatever junk leaked your domain though, but it's really nothing.

▲

Jolter 8 hours ago | parent | next [-]

Obl. nitpick: you mean paranoia, presumably. Schizophrenia is a dissociative/psychotic disorder, paranoia is the irrational belief that you’re being persecuted/watched/etc.

Btw, in this case it can’t be paranoia since the belief was not irrational - the author was being watched.

▲

TZubiri 8 hours ago | parent [-]

You are right, I meant paranoid.

>Btw, in this case it can’t be paranoia since the belief was not irrational - the author was being watched.

Yes, but I mean being overly cautious in the threat model. For example, birds may be watching through my window, it's true and I might catch a bird watching my house, but it's paranoid in the sense that it's too tight of a threat model.

▲

nottorp 3 hours ago | parent | next [-]

One never knows, that owl might be electric.

▲

jraph 8 hours ago | parent | prev [-]

I know analogies are not meant to be perfect, but birds don't mass watch, and don't systematically watch every of your moves neither.

▲

nirse 8 hours ago | parent [-]

That's what you think...

	▲	jraph 8 hours ago \| parent [-]
		:-)

▲

wasmitnetzen 3 hours ago | parent | prev | next [-]

I've blown fairly competent colleagues' minds multiple times by showing them the existence of certificate transparency logs. They were very much under the impression that hostnames can be kept secret as a protection against external infrastructure mapping.

▲

jraph 9 hours ago | parent | prev | next [-]

> any sensitive info is pushed to the URL Path

This too is not ideal. It gets saved in the browser history, and if the url is sent by message (email or IM), the provider may visit it.

> Definitely uninstall whatever junk leaked your domain though, but it's really nothing.

We are used to the tracking being everywhere but it is scandalous and should be considered as such. Not the subdomain leak part, that's just how Rachel noticed, but the non advertised tracking from an appliance chosen to be connected privately.

	▲	TZubiri 8 hours ago \| parent [-]
		>This too is not ideal. It gets saved in the browser history, and if the url is sent by message (email or IM), the provider may visit it. Sure. POST for extra security. > Not the subdomain leak part, that's just how Rachel noticed, but the non advertised tracking from an appliance chosen to be connected privately. If this were a completely local product, like say a USB stick. Sure. but this is a Network Attached Storage product, and the user explicitly chose to use network functions (domains, http), it's not the same category of issue.

▲

OptionOfT 8 hours ago | parent | prev | next [-]

TLS 1.3 has encrypted client hello which encrypts the domain name during an HTTPS connection.

▲

voidUpdate 7 hours ago | parent | prev [-]

> "So, no one competent is going to do this"

What about all the people who are incompetant?