top | item 46897501

(no title)

mixedbit | 25 days ago

I have investigated similar situation on Heroku. Heroku assigns a random subdomain suffix for each new app, so URLs of apps are hard to guess and look like this: test-app-28a8490db018.herokuapp.com. I have noticed that as soon as a new Heroku app is created, without making any requests to the app that could leak the URL via a DNS lookup, the app is hit by requests from automatic vulnerability scanning tools. Heroku confirmed that this is due the new app URL being published in certificate authority logs, which are actively monitored by vulnerability scanners.

discuss

adolph|25 days ago

> certificate authority logs, which are actively monitored by vulnerability scanners

That sounds like a large kick-me sign taped to every new service. Reading how certificate transparency (CT) works leads me to think that there was a missed opportunity to publish hashes to the logs instead of the actual certificate data. That way a browser performing a certificate check can verify in CT, but a spammer can't monitor CT for new domains.

https://certificate.transparency.dev/howctworks/

wlonkly|24 days ago

I think it was more of an intentional tradeoff, as one of the many goals of CT logs was to allow domain owners to discover certificates issued for their domains, or more generally for any interested party to audit the activity of a certificate authority.

What you're describing there is certificate... translucency, I guess?

nightpool|25 days ago

Really? Is that new? My apps use wildcard domains: https://i.postimg.cc/SQ82S0Dp/image.png

mixedbit|24 days ago

This applies only to Heroku Fir and Cedar apps (apps that run in Heroku Private Spaces). Heroku Common Runtime apps still use shared wildcard certificate and their domains are not discoverable like this.