Comment by marcosdumay
3 years ago
Is this valuable enough to resist every real advancement in network security since the late 00's? Because for each one of them it's certain that people will pop-up making a lot of noise about hidden server names.
It's mostly because of them that DNS is still not reliable. Well, at least this article isn't against certificate transparency, just about how to avoid it.
I don’t think anyone is arguing that Certificate Transparency defeats “every real advancement in network security”. If you want to avoid your internal hostnames, and maybe Subject and SAN, ending up in LE, then you’re free to run your own CA.
But getting back to your parent post, maybe we can see a nontrivial real-world list of a big network to make sure it’s leaking nothing of value?