Conversation

Notices

1. Embed this notice
   :debian: 𝚜𝚎𝚕𝚎𝚊 :opensuse: (selea@social.linux.pizza)'s status on Monday, 06-Jan-2025 07:53:24 JST :debian: 𝚜𝚎𝚕𝚎𝚊 :opensuse:

   People have probably seen this before, and I have - but not to this extent.

   All certificates that are public, are actually "streamed" to public databases, that in line with regulation set by CA's, browsers and other vendors.

   What that means, is that if you issue (or buy) a certificate from a public CA - and you are only using it in an internal environment - people WILL know that you have a host with that particular CommonName somewhere.

   I've issued a couple of certificates today, and since I host my own Authoritive DNS-servers, I am able to fully trace the requests coming into my DNS-zone.
   Immediately after I've issued said certificates - I see many request arriving from all over the world, together with port-scans and all that shit.
   And if you dont have a A-record for that particular hostname - the portscans will go directly against @.
   All that from Cloud providers such as AWS, GCP, and shit.

   Fascinating.

   And if you want to check all the certificates that is issued - in real time, Check out "certstream"

   https://certstream.calidog.io/

   #linux #infosec #security #letsencrypt

   • Embed this notice
     :debian: 𝚜𝚎𝚕𝚎𝚊 :opensuse: (selea@social.linux.pizza)'s status on Monday, 06-Jan-2025 17:42:06 JST :debian: 𝚜𝚎𝚕𝚎𝚊 :opensuse:

     in reply to

     • Niels K.

     @nielsk

     Wildcards are not a great solution I think.

   • Embed this notice
     Niels K. (nielsk@mastodon.social)'s status on Monday, 06-Jan-2025 17:42:07 JST Niels K.

     in reply to

     @selea You can use a wildcard-certificate…

   • Embed this notice
     :debian: 𝚜𝚎𝚕𝚎𝚊 :opensuse: (selea@social.linux.pizza)'s status on Monday, 06-Jan-2025 17:43:26 JST :debian: 𝚜𝚎𝚕𝚎𝚊 :opensuse:

     in reply to

     • Francisco de la Peña

     @fdelapena

     It is a well known fact for people that are interested in it.
     But unkown to most people in IT sadly

   • Embed this notice
     Francisco de la Peña (fdelapena@floss.social)'s status on Monday, 06-Jan-2025 17:43:27 JST Francisco de la Peña

     in reply to

     @selea it's well-known that CT logs are used to attack freshly uploaded WordPress installers in seconds, so all that noise makes sense.

   • Embed this notice
     :debian: 𝚜𝚎𝚕𝚎𝚊 :opensuse: (selea@social.linux.pizza)'s status on Tuesday, 07-Jan-2025 04:56:07 JST :debian: 𝚜𝚎𝚕𝚎𝚊 :opensuse:

     in reply to

     • argv minus one

     @argv_minus_one

     I totally agree to this

   • Embed this notice
     argv minus one (argv_minus_one@mastodon.sdf.org)'s status on Tuesday, 07-Jan-2025 04:56:08 JST argv minus one

     in reply to

     @selea

     Also, if you use a public CA for your internal stuff, then your internal stuff is polluting a bunch of public databases, which seems impolite.

     I use a private CA and/or self-signed certificates for stuff like that.