knowing that obscurity is no security, we decided anyway to not use Let's Encrypt any more.
The reason is, that we don't want to have any single server we use listed on public pages.
A Lets encrypt wildcard certificate doesn't work for us, because our DNS provider is not among the supported providers for automated renewal.
So, is there any way to get unlisted by Let's encrypt immediately or successively?
And, does anybody know if https://crt.sh every “forgets” an entry? I know, the internet never forgets...
Sorry for that stupid questions, but, like many users did, we just used Let's Encrypt without being clear about the impact and consequences. We are thankful for the great initiative and service of Let's Encrypt, but now it's over...
It's nothing to do with Let's Encrypt; all publicly-trusted certificates from all public CAs need to be published to Certificate Transparency logs in order for browsers to trust them. It's part of making sure that CAs have accountability for actually doing the job they've signed up for.
Chrome and Safari require CT data embedded in Certificates. Firefox currently does not. If you are able to find a CA that will issue a Certificate with public CT submission, it is effectively worthless as it will not work on any Apple or Google device natively.
CT logs only contain the domain name. They do not include IP addresses.
Clearly, that's your decision to make. But the general consensus of the wider internet security apparatus would disagree which is why it's required for all publicly trusted CAs as previously mentioned.
Unless you only use IPv6, all IPv4 addresses are scanned more than once a day [on all 64K ports].
Regardless of a DNS entry or certificate name that was found pointing to it.
Security through obscurity is not an option in 2022.
Once again:
I understand and like the Idea of Certificate Transparency. I never said anything against that. Everything is fine with that.
But pulling a certificate for every single service and get listed with that service, searchable by your domain name, is a price you have to be willing to pay, and you get a certificate for free.
And if you are not willing to pay that price, choose a wildcard certificate.
First of all, you don't have to quote me, I already said, obscurity is no security.
Unless you only use IPv6, all IPv4 addresses are scanned more than once a day [on all 64K ports].
Regardless of a DNS entry or certificate name that was found pointing to it.
All our services searchable by our domain name, directly targetable, webservers are answering requests because of the correct hostname, and so on... This is much more than scanning randomly the whole IP4 address space on every 64K ports without knowing who's the owner of that server.
If somebody wants to attack us, us not anybody, this is very straight forward if we pull a certificate for every single service.
And once again, I already understood the sense of CT, this has to be that way, everything is OK with that.
The topic title starts with "Get certificates unlisted"
Which is clearly NOT possible.
Then it twists and turns and is somewhat hard to understand clearly - at least for my feeble mind.
There would be a lot of recon before that would happen.
And most likely attack surface would be email - how many of your company email addresses can be found online?
How big of an attack surface is that?
I didn't mean to imply that.
I meant: Not providing the real site name isn't much, if any, of a security increase.
I would not sleep at night if that was something I had to rely on.
As an example of how my thoughts go on this "subject":
If I wanted to attack a company [which is something I would never do - but it pays (well) to think like a "bad guy"].
I would look for the weak link in the (supply) chain.
Once imbedded into any of those "partner" systems, one can scour their emails for anything related to real attack company. Links to "unlisted" sites, usernames/pw, VPN/FW rule access from their trusted (infected) partners.
Exploiting "trust" can usually get a lot further than a direct frontal (site) assault.
In case the point got missed:
You can delegate the required DNS TXT record to any other DNS system on the Internet.
[including a DNS server that you operate yourself - if you are anywhere near as paranoid as I am, you would be running all your DNS yourself - I do]
That means, even with whatever (lousy) DSP, you can still use DNS-01 authentication and obtain wildcard certs and renew them automatically.