← Back to context

Comment by jesterson

17 hours ago

> If you use LetsEncrypt for ssl certs (which you should)

You meant you shouldn't right? Partially exactly for the reasons you stated later in the same sentence.

3 comments

jesterson

Reply
josh3736  17 hours ago

Let's Encrypt has nothing to do with this problem (of Certificate Transparency logs leaking domain names).

CA/B Forum policy requires every CA to publish every issued certificate in the CT logs.

So if you want a TLS certificate that's trusted by browsers, the domain name has to be published to the world, and it doesn't matter where you got your certificate, you are going to start getting requests from automated vulnerability scanners looking to exploit poorly configured or un-updated software.

Wildcards are used to work around this, since what gets published is *.example.com instead of nas.example.com, super-secret-docs.example.com, etc — but as this article shows, there are other ways that your domain name can leak.

So yes, you should use Let's Encrypt, since paying for a cert from some other CA does nothing useful.

  • tialaramex  3 hours ago

    Another big way you get scooped up, having worked in that industry among other things - is that anybody - internal staff, customers, that one sales guy who insists on using his personal iPhone to demo the product and everybody turns a blind eye because he made $14M in sales last year - calls some public DNS resolver and the public DNS server sells those names --- even though the name didn't "work" because it wasn't public.

    They don't sell who asked because that's a regulatory nightmare they don't want, but they sell the list of names because it's valuable.

    You might buy this because you're a bad guy (reputable sellers won't sell to you but that's easy to circumvent), because you're a more-or-less legit outfit looking for problems you can sell back to the person who has the problem, or even just for market research. Yes, some customers who own example.com and are using ZQF brand HR software won't name the server zqf.example.com but a lot of them will and so you can measure that.

  • jesterson  16 hours ago

    Statistically amount of parasite scanning on LE "secured" domains is way more compared to purchased certficates. And yes, this is without voluntary publishing on LE side.

    I am not entirely aware what LE does differently, but we had very clear observation in the past about it.