| ▲ | INTPenis 5 hours ago |
| I started treating long random bucketnames as secrets years ago. Ever since I noticed hackers were discovering buckets online with secrets and healthcare info. This is where IaC shines. |
|
| ▲ | 8organicbits 2 hours ago | parent | next [-] |
| ~As far as I know, bucket names are public via certificate transparency logs.~ There are tools for collecting those names. Besides you'd leak the subdomain to (typically) unencrypted DNS when you do a lookup and maybe via SNI. Edit: crossout incorrect info |
| |
| ▲ | BCM43 2 hours ago | parent | next [-] | | I'm pretty sure buckets use star certs and thus the individual bucket names won't be in the transparency logs. | | | |
| ▲ | embedding-shape 2 hours ago | parent | prev [-] | | > Besides you'd leak the subdomain to (typically) unencrypted DNS when you do a lookup and maybe via SNI. "Leak" is maybe a bit over-exaggerated, although if someone MitM'd you they definitely be able to see it. But "leak" makes it seem like it's broadcasted somehow, which obviously it isn't. | | |
| ▲ | 8organicbits an hour ago | parent [-] | | No man-in-the-middle is needed, DNS queries are often collected into large datasets which can be analyzed by threat hunters or attackers. Check out passive DNS https://www.spamhaus.com/resource-center/what-is-passive-dns... You'd need to check the privacy policy of your DNS provider to know if they share the data with anyone else. I've commonly seen source IP address consider as PII, but not the content of the query. Cloudflare's DNS, for example, shares queries with APNIC for research purposes. https://developers.cloudflare.com/1.1.1.1/privacy/public-dns... Other providers share much more broadly. | | |
| ▲ | embedding-shape an hour ago | parent [-] | | > No man-in-the-middle is needed [...] Check out passive DNS How does one execute this "passive DNS" without quite literally being on the receiving end, or at least sitting in-between the sending and receiving end? You're quite literally describing what I'm saying, which makes it less of a "leak" and more like "others might collect your data, even your ISP", which I'd say would be accurate than "your DNS leaks". | | |
| ▲ | 8organicbits an hour ago | parent [-] | | There's a lot of online documentation about passive DNS. Here's one example > Passive DNS is a historical database of how domains have resolved to IP addresses over time, collected from recursive DNS servers around the world. It has been an industry-standard tool for more than a decade. > Spamhaus’ Passive DNS cluster handles more than 200 million DNS records per hour and stores hundreds of billions of records per month, providing you with access to a vast lake of threat intelligence data. https://www.spamhaus.com/resource-center/what-is-passive-dns... | | |
| ▲ | embedding-shape 27 minutes ago | parent [-] | | > collected from recursive DNS servers around the world Yes, of course, because those DNS servers are literally receiving the queries, eg "receiving the data". Again, there is nothing "leaking" here, that's like saying you leak what HTTP path you're requesting to a server, when you're sending a HTTP request to that server. Of course, that's how the protocol works! |
|
|
|
|
|
|
| ▲ | XorNot 5 hours ago | parent | prev | next [-] |
| I just started using hashes for names. The deployment tooling knows the "real" name. The actual deployment hash registers a salt+hash of that name to produce a pseudo-random string name. |
|
| ▲ | Galanwe 5 hours ago | parent | prev [-] |
| This is all good and we'll on the IaC side,yes. But at the end of the day, buckets are also user facing resources, and nobody likes random directory / bucket names. |
| |
| ▲ | INTPenis 3 hours ago | parent | next [-] | | That's a contradiction, a bucket name being treated as a secret in IaC, while being a user facing resource. So no, they're not user facing resources. If anyone wants them to be user facing resources, then treat them as such, and ensure they're secure, and don't store sensitive info on them. Otherwise, put a service infront of them, and have the user go through it. The S3 protocol was meant to make the lives of programmers easier, not end users. | |
| ▲ | amluto 4 hours ago | parent | prev [-] | | It would be nice if the other end of this could be addressed: a configurable policy to limit resolution of bucket names within an account namespace. Ideally, if someone doesn’t have permission to resolve a bucket name, they shouldn’t even be able to detect whether it exists. |
|
