Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Dark Side of Certificate Transparency (sans.edu)

Posted by EditorDavid on from the extra-credentials dept.

Slashdot reader UnderAttack writes: Certificate Transparency is a system promoted by companies like Google that requires certificate authorities to publish a log of all certificates issued. With certificate transparency, you can search these logs for any of the domains you own, to find unauthorized certificates. However, certificates are not only used for public sites. And with all certificates being published, some include host names that are not meant to be publicly known. An update of the standard is in the works to allow entities to obfuscate the host name, but until then, certificate transparency logs are a good recognizance source.

7 of 62 comments (clear)

  1. recognizance ?! by Anonymous Coward · · Score: 3, Insightful

    I don't think you know what that word means!

  2. Hostname leaks and internal CA by plsuh · · Score: 5, Insightful

    1) Hostnames leak all the time. A client will make a DNS request and the name becomes known even if it is not resolvable on the public Internet.

    2) If you really care that much, run an internal CA. Lots of ways to do it, most server OS's have built-in or easily available internal CA software.

    Keeping a hostname out of the certificate log is pretty much pointless security by obscurity.

    1. Re:Hostname leaks and internal CA by ErikTheRed · · Score: 3, Interesting

      Exactly. We use an internal CA (there are several good ones out there like EJBCA) for all of our private internal hosts.

      --

      Help save the critically endangered Blue Iguana
    2. Re:Hostname leaks and internal CA by TheRaven64 · · Score: 4, Insightful

      The second point doesn't make a difference. If your clients support certificate transparency, then they will publish any server certs that they come across. It doesn't matter what the cert is. The real point, however, is that if the machine should not be routable from outside of your network, then you should not make it routable from off your network. Assuming that the hostname (or IP) is secret is silly.

      --
      I am TheRaven on Soylent News
  3. Re:solving the wrong problem by lkcl · · Score: 3, Informative

    huh. like this. how about that - someone's already done it. https://github.com/okTurtles/d...

  4. Security through obscurity of interna domain name? by Wrath0fb0b · · Score: 4, Informative

    Seriously, does this bozo think that there is any security benefit if an attacker doesn't know your internal domain names? What in the world does that buy?

    PS. Editors: reconnaissance != recognizance. Holy hell what a train wreck.

  5. Perhaps I'm missing something... by SvnLyrBrto · · Score: 4, Insightful

    ... in my pre-coffee state. But:

    > vpn.miltonsandfordwines.com
    > upstest2.managehr.com
    > mail.backup-technology.co.uk

    How exactly is the knowledge of the existence of any of these domains a problem? Just about any given domain can be assumed to have a mail.whatever.com subdomain. Internal testing domains are internal and, if they're ever publicly routable at all, are only opened up for the duration of the test and then closed down again. And just the knowledge of a VPN address should never be enough. At the very least you also need a valid username/password. You probably need a 2-factor token. And you possibly need a client certificate of your own to access it.

    I'm failing to see any "dark side" here.

    --
    Imagine all the people...