If you read my first post on this topic, Well, hello there., then you know I was trying to figure out how random hosts were finding my brand-new domain names that nobody knew about. I would see traffic hitting the web servers within minutes of the server spinning up.
Then I thought I had figured it out with my discovery of ICANN’s Centralized Zone Data Service (CZDS), which I wrote about in The lists are out there.. I was so confident I had it all figured out.
Well… it turns out there is yet another very likely way this is happening: Certificate Transparency logs.
Certificate Transparency is a process that started around 2013 and requires publicly trusted SSL/TLS certificates to be logged in public, verifiable records. The purpose is good: it allows domain owners, browser vendors, and security researchers to detect certificates that were issued incorrectly or maliciously.
The side effect is that certificate issuance itself can expose domain names.
So, if you’re like me and use a CA like Let’s Encrypt or Cloudflare to generate certificates for you, that is another way your domain name can become visible. This also applies to certificates generated for subdomains.
In other words, if you have ever thought about creating a somewhat unique subdomain to host private pages that you do not necessarily need secured, but also do not want publicized… don’t do that. A certificate for that subdomain may effectively announce that it exists.
Not that anyone would ever do such a thing…😳
This video does a great job explaining the “why” behind Certificate Transparency logs:
Here’s a top-class site that lets you search recent Certificate Transparency logs for a domain name:
Leave a Reply