upvote

points

by fragmede18 hours ago |
comments
upvoteby Gigachad2 hours ago|
next
[-]
Unsecured fresh install states that rely on you signing in before an attacker does were always a horrible idea. It's been a welcome change on the Linux side where Linux distros can install with your SSH key and details preloaded so password login is always disabled.

These PHP apps need to change so you first boot the app with credentials so the app is secured at all moments.

reply
upvoteby ale4216 hours ago|
prev|
next
[-]
It's not just Let's Encrypt, right? CT is a requirement for all Certificate Authorities nowadays. You can just look at the certificate of www.google.com and see that it has been published to two CT logs (Google's and Sectigo's)
reply
upvoteby nottorp12 hours ago|
parent|
next
[-]
Now I get why they want to reduce certificate validity to 20 minutes. The logs will become so spammy then that the bad guys won't be able to scan all hosts in them any more...
reply
upvoteby tialaramex15 hours ago|
parent|
prev|
[-]
Technically logging certificates is not a Requirement of the trust stores, but most web browsers won't accept a certificate which isn't presented with a proof of logging, typically (but not always) baked inside the certificates.

The reason for this distinction is that failing to meet a Requirement for issued certificates would mean the trust stores might remove your CA, but several CAs today do issue unlogged certificates - and if you wanted to use those on a web server you would need to go log them and staple the proofs to your certs in the server configuration.

Most of the rules (the "Baseline Requirements" or BRs) are requirements and must be followed for all issued certificates, but the rule about logging deliberately doesn't work that way. The BRs do require that a CA can show us - if asked - everything about the certificates they issued, and these days for most CAs that's easiest accomplished by just providing links to the logs e.g. via crt.sh -- but that requirement could also be fulfilled by handing over a PDF or an Excel sheet or something.

reply
upvoteby krautsauer18 hours ago|
prev|
next
[-]
That may be related, but it's not what happened here. Wildcard-cert and all.
reply
upvoteby prmoustache13 hours ago|
prev|
next
[-]
Why would you care that your hostname on a local only domain is published to the world if it is not reachable from outside? Publicly available hosts are alread published to the world anyway through DNS.

LetsEncrypt doesn't make a difference at all.

reply
upvoteby thakoppno18 hours ago|
prev|
next
[-]
> the Internet is a bad place

FWIW - it’s made of people

reply
upvoteby TZubiri18 hours ago|
parent|
[-]
No, it's made by systems made by people, systems which might have grown and mutated so many times that the original purpose and ethics might be unrecognizable to the system designers. This can be decades in the case of tech like SMTP, HTTP, JS, but now it can be days in the era of Moltbots and vibecoding.
reply
upvoteby Spivak18 hours ago|
prev|
next
[-]
I like only getting *.domain for this reason. No expectation of hiding the domain but if they want to figure out where other things are hosted they'll have to guess.
reply
upvoteby ttoinou18 hours ago|
parent|
next
[-]
So how do you get this ?
reply
upvoteby rossy18 hours ago|
parent|
[-]
Let's Encrypt can issue wildcard certs too
reply
upvoteby hsbauauvhabzb17 hours ago|
parent|
prev|
[-]
That’s really not a great fix. If those hostnames leak, they leak forever. I’d be surprised if AV solutions and/or windows aren’t logging these things.
reply
upvoteby jesterson18 hours ago|
prev|
[-]
> If you use LetsEncrypt for ssl certs (which you should)

You meant you shouldn't right? Partially exactly for the reasons you stated later in the same sentence.

reply
upvoteby josh373617 hours ago|
parent|
[-]
Let's Encrypt has nothing to do with this problem (of Certificate Transparency logs leaking domain names).

CA/B Forum policy requires every CA to publish every issued certificate in the CT logs.

So if you want a TLS certificate that's trusted by browsers, the domain name has to be published to the world, and it doesn't matter where you got your certificate, you are going to start getting requests from automated vulnerability scanners looking to exploit poorly configured or un-updated software.

Wildcards are used to work around this, since what gets published is *.example.com instead of nas.example.com, super-secret-docs.example.com, etc — but as this article shows, there are other ways that your domain name can leak.

So yes, you should use Let's Encrypt, since paying for a cert from some other CA does nothing useful.

reply
upvoteby tialaramex4 hours ago|
parent|
next
[-]
Another big way you get scooped up, having worked in that industry among other things - is that anybody - internal staff, customers, that one sales guy who insists on using his personal iPhone to demo the product and everybody turns a blind eye because he made $14M in sales last year - calls some public DNS resolver and the public DNS server sells those names --- even though the name didn't "work" because it wasn't public.

They don't sell who asked because that's a regulatory nightmare they don't want, but they sell the list of names because it's valuable.

You might buy this because you're a bad guy (reputable sellers won't sell to you but that's easy to circumvent), because you're a more-or-less legit outfit looking for problems you can sell back to the person who has the problem, or even just for market research. Yes, some customers who own example.com and are using ZQF brand HR software won't name the server zqf.example.com but a lot of them will and so you can measure that.

reply
upvoteby jesterson17 hours ago|
parent|
prev|
[-]
Statistically amount of parasite scanning on LE "secured" domains is way more compared to purchased certficates. And yes, this is without voluntary publishing on LE side.

I am not entirely aware what LE does differently, but we had very clear observation in the past about it.

reply