Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Dark Side of Certificate Transparency (sans.edu)

Posted by EditorDavid on from the extra-credentials dept.

Slashdot reader UnderAttack writes: Certificate Transparency is a system promoted by companies like Google that requires certificate authorities to publish a log of all certificates issued. With certificate transparency, you can search these logs for any of the domains you own, to find unauthorized certificates. However, certificates are not only used for public sites. And with all certificates being published, some include host names that are not meant to be publicly known. An update of the standard is in the works to allow entities to obfuscate the host name, but until then, certificate transparency logs are a good recognizance source.

12 of 62 comments (clear)

  1. recognizance ?! by Anonymous Coward · · Score: 3, Insightful

    I don't think you know what that word means!

  2. Stupid by Anonymous Coward · · Score: 2, Informative

    This is stupid. Transparency is good. Don't rely on security through obscurity. If that's your method to keep secrets, you deserve what you get. There's no legitimate reason why you should have a secret hostname that's not otherwise secured, if you don't want people accessing it.

  3. Hostname leaks and internal CA by plsuh · · Score: 5, Insightful

    1) Hostnames leak all the time. A client will make a DNS request and the name becomes known even if it is not resolvable on the public Internet.

    2) If you really care that much, run an internal CA. Lots of ways to do it, most server OS's have built-in or easily available internal CA software.

    Keeping a hostname out of the certificate log is pretty much pointless security by obscurity.

    1. Re:Hostname leaks and internal CA by dmbasso · · Score: 2

      Very well said. I have no mod points, so here's my virtual +1.

      --
      `echo $[0x853204FA81]|tr 0-9 ionbsdeaml`@gmail.com
    2. Re:Hostname leaks and internal CA by ErikTheRed · · Score: 3, Interesting

      Exactly. We use an internal CA (there are several good ones out there like EJBCA) for all of our private internal hosts.

      --

      Help save the critically endangered Blue Iguana
    3. Re:Hostname leaks and internal CA by TheRaven64 · · Score: 4, Insightful

      The second point doesn't make a difference. If your clients support certificate transparency, then they will publish any server certs that they come across. It doesn't matter what the cert is. The real point, however, is that if the machine should not be routable from outside of your network, then you should not make it routable from off your network. Assuming that the hostname (or IP) is secret is silly.

      --
      I am TheRaven on Soylent News
  4. solving the wrong problem by lkcl · · Score: 2

    y'know... it occurs to me that seeing CENTRALISED trust mechanisms break down really is no surpise, at all. it's a simple mathematical equation which can be explored by doing e^(1/N) * N where you increase N, then make a tiny *tiny* change in the 1/N value. so E^(1/100,010) * 100,000 for example is drastically divergent from E^(1/100,000) / 100,000. point being: the more you CENTRALISE trust, the greater the chance of it being violated (exponentialy greater)

        solving this will take moving away from CENTRALISED trust to DECENTRALISED trust. does anyone remember keynote (an IETF RFC), or advogato, or even the moderation system behind slashdot, and how effective those are? we really really need to start moving to things like blockchain. as in, don't arse about expecting the incumbents to move to blockchain (because they have financial incentives not to do so) - just move to blockchain-based SSL Certificates.

    1. Re:solving the wrong problem by lkcl · · Score: 3, Informative

      huh. like this. how about that - someone's already done it. https://github.com/okTurtles/d...

  5. If the host name should not be publically known by drolli · · Score: 2

    then you should not need any certificate form any CA but yourself.

  6. Security through obscurity of interna domain name? by Wrath0fb0b · · Score: 4, Informative

    Seriously, does this bozo think that there is any security benefit if an attacker doesn't know your internal domain names? What in the world does that buy?

    PS. Editors: reconnaissance != recognizance. Holy hell what a train wreck.

  7. Certificate Transparency? by fustakrakich · · Score: 2, Insightful

    Don't you think that Certificate Security would be the priority?

    An update of the standard is in the works to allow entities to obfuscate the host name..

    So now the whole idea becomes entirely useless, aside from the public relations.

    Certificates are cookies, just another word with more syllables and some different letters.

    --
    “He’s not deformed, he’s just drunk!”
  8. Perhaps I'm missing something... by SvnLyrBrto · · Score: 4, Insightful

    ... in my pre-coffee state. But:

    > vpn.miltonsandfordwines.com
    > upstest2.managehr.com
    > mail.backup-technology.co.uk

    How exactly is the knowledge of the existence of any of these domains a problem? Just about any given domain can be assumed to have a mail.whatever.com subdomain. Internal testing domains are internal and, if they're ever publicly routable at all, are only opened up for the duration of the test and then closed down again. And just the knowledge of a VPN address should never be enough. At the very least you also need a valid username/password. You probably need a 2-factor token. And you possibly need a client certificate of your own to access it.

    I'm failing to see any "dark side" here.

    --
    Imagine all the people...