top | item 43285768

(no title)

Kikawala | 1 year ago

Is it available under HTTPS? Then it's probably in a Certificate Transparency log.

discuss

govideo|1 year ago

Yes, https via cloudflare's automatic https. Thanks for the info.

Yeah this is a surprisingly little known fact- all certs being logged means all subdomain names get logged.

Wildcard certs can hide the subdomains, but then your cert works on all subdomains. This could be an issue if the certs get compromised.

Usually there isn’t sensitive information in subdomain names, but i suspect it often accidentally leaks information about infrastructure setups. "vaultwarden.example.com" existing tells you someone is probably running a vaultwarden instance, even if it’s not publicly accessible.

The same kind of info can leak via dns records too, I think?

thisisgvrt|1 year ago

Automated agents can tail the certificate log to discover new domains as the certs are issued. But if you want to explore subdomains manually, https://crt.sh/ is a nice tool.

yatralalala|1 year ago

If you're using infra in a way [cloudflare -> your VM] I'd recommend setting firewall on the VM in a way that it can be accessed only from Cloudflare.

This way, you will force everyone to go through Cloudflare and utilize all those fancy bot blocking features they have.

system2|1 year ago

Do you know how to access these logs?

daneel_w|1 year ago

https://crt.sh/ is one example, if you sign using e.g. Let's Encrypt.

Kikawala|1 year ago

Answered below, but https://crt.sh/ is what I use.

Eikon|1 year ago

https://www.merklemap.com/