Better explain that HTTP-01/TLS-ALPN-01 challenges do not provide obscurity due to Certificate-Transparancy

[pimlie]

Why

Certificate-Transparancy is actively being monitored by various organizations (I have noticed at least 3), most seem to be friendly but the CT could also be used by malicious actors to monitor for the existence of domains. Looking at my logs I see at least one request / ip address for which it's unclear who it belongs to and who is scanning for a wordpress admin setup file.

This is def. a me issue, but until yesterday I wasn't even aware that CT existed and can be freely/publicly read. So I wrongly assumed that my sub domains were somewhat secure by being obscure (ie I thought nobody knew about them besides me), hence my surprise when I noticed that those sub domains for internal use were immediately scanned by a third party after renewing my certificates.

This can also be an issue for domains used for development, which often are less secure or at least prone to bigger security issues then production domains.

How

I would suggest to add the CT and the lack of obscurity to the Cons for HTTP-01 and TLS-ALPN-01 challenges on the https://letsencrypt.org/docs/challenge-types/ page.

As far as I understand CT, it might be beneficial to use DNS-01 challenges if you want your (sub)domains to be obscured a bit? So it could also be added as a Pro for DNS-01 challenges I guess.

[aarongable]

Using DNS-01 challenge does not protect your subdomain from being listed in CT logs -- all certificates are published to CT regardless of validation method used, so all names included in those certificates are public knowledge.

If you want to hide subdomains, you need to get a wildcard certificate. It is true that you must use the DNS-01 challenge in order to validate a wildcard certificate. But it is not the DNS-01 challenge itself that is somehow hiding the existence of specific subdomains, it is the use of a wildcard certificate.

[pimlie]

Ok, thanks guess I overlooked that. But why close this issue instead of expanding it to add that clarification you made?

Although obscurity is not security, I feel it should at minimum be widely known that any time you request a certificate for a specific (sub)domain that (sub)domain will be publicly logged in the CT. I might be overlooking things (and apologies if I am), but I can't see any such warning already being given in the docs.

[pgporada]

The only place I can find where we discuss CT, aside from blog posts we've written, is our CP/CPS.

I can draft some text to add to the privacy policy, the FAQ, and How It Works.

Edit: I forgot about our CT logs page.

[pimlie]

Awesome @pgporada, thanks for the changes! The puzzle pieces we're indeed already available but users had to put those together themselves. After your changes the biggest part of the puzzle has already been made for users in the FAQ 😸

The only thing that could maybe be clarified still is the final puzzle piece about wildcard dns certificates, ie. that using those is the only way to keep your (sub)domains 'obscured' as with a wildcard DNS the (sub)domains can't be extracted individually from the CT logs. I guess that should already be logical, but might be good to explicitly mention?

Thanks again for the quick changes!