Get certificates unlisted

Hello,

knowing that obscurity is no security, we decided anyway to not use Let's Encrypt any more.
The reason is, that we don't want to have any single server we use listed on public pages.
A Lets encrypt wildcard certificate doesn't work for us, because our DNS provider is not among the supported providers for automated renewal.

So, is there any way to get unlisted by Let's encrypt immediately or successively?
And, does anybody know if https://crt.sh every “forgets” an entry? I know, the internet never forgets...

Sorry for that stupid questions, but, like many users did, we just used Let's Encrypt without being clear about the impact and consequences. We are thankful for the great initiative and service of Let's Encrypt, but now it's over...

Hi @enc92924
Here are a couple of links on Certificate Transparency

6 Likes

It's nothing to do with Let's Encrypt; all publicly-trusted certificates from all public CAs need to be published to Certificate Transparency logs in order for browsers to trust them. It's part of making sure that CAs have accountability for actually doing the job they've signed up for.

8 Likes

Hello,

thanks for making that clear. One more reason to use wildcard certificates.

2 Likes

No.

They do not.

You can use acme-dns GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely. which is the recommended best-practice for DNS authorization. see A Technical Deep Dive: Securing the Automation of ACME DNS Challenge Validation | Electronic Frontier Foundation

Chrome and Safari require CT data embedded in Certificates. Firefox currently does not. If you are able to find a CA that will issue a Certificate with public CT submission, it is effectively worthless as it will not work on any Apple or Google device natively.

CT logs only contain the domain name. They do not include IP addresses.

8 Likes

Be aware that with Let's Encrypt you need to use the DNS-01 Challenge Type

7 Likes

Yes, I already understood.
And being listed with a wildcard certificate is absolutely not the problem.

CT logs only contain the domain name. They do not include IP addresses

But being listed with every single server's or service's hostname, that's more information than necessary.

Clearly, that's your decision to make. But the general consensus of the wider internet security apparatus would disagree which is why it's required for all publicly trusted CAs as previously mentioned.

10 Likes

Unless you only use IPv6, all IPv4 addresses are scanned more than once a day [on all 64K ports].
Regardless of a DNS entry or certificate name that was found pointing to it.

Security through obscurity is not an option in 2022.

8 Likes

Once again:
I understand and like the Idea of Certificate Transparency. I never said anything against that. Everything is fine with that.

But pulling a certificate for every single service and get listed with that service, searchable by your domain name, is a price you have to be willing to pay, and you get a certificate for free.

And if you are not willing to pay that price, choose a wildcard certificate.

That also happens with paid certificates
[CT is not only for FREE certs/CAs]

Two things are being intertwined here:

  • free/paid certs
  • FQDN/wildcard certs

They are not interrelated.

8 Likes

First of all, you don't have to quote me, I already said, obscurity is no security.

Unless you only use IPv6, all IPv4 addresses are scanned more than once a day [on all 64K ports].
Regardless of a DNS entry or certificate name that was found pointing to it.

All our services searchable by our domain name, directly targetable, webservers are answering requests because of the correct hostname, and so on... This is much more than scanning randomly the whole IP4 address space on every 64K ports without knowing who's the owner of that server.

If somebody wants to attack us, us not anybody, this is very straight forward if we pull a certificate for every single service.

And once again, I already understood the sense of CT, this has to be that way, everything is OK with that.

But anyway.

It is used for all readers [not just you].
It points to what is being discussed below - without which some readers may get lost in the mix.

7 Likes

I know that. And that's not the point.

Then I apologize as I have missed the point :frowning:

The topic title starts with "Get certificates unlisted"
Which is clearly NOT possible.
Then it twists and turns and is somewhat hard to understand clearly - at least for my feeble mind.

6 Likes

That's the point.

There would be a lot of recon before that would happen.
And most likely attack surface would be email - how many of your company email addresses can be found online?
How big of an attack surface is that?

6 Likes

The OP was answered with jvanascos's answer. I didn't start the discussion.

I never said, there are no other vectors.

I didn't mean to imply that.
I meant: Not providing the real site name isn't much, if any, of a security increase.
I would not sleep at night if that was something I had to rely on.

As an example of how my thoughts go on this "subject":
If I wanted to attack a company [which is something I would never do - but it pays (well) to think like a "bad guy"].
I would look for the weak link in the (supply) chain.
Once imbedded into any of those "partner" systems, one can scour their emails for anything related to real attack company. Links to "unlisted" sites, usernames/pw, VPN/FW rule access from their trusted (infected) partners.
Exploiting "trust" can usually get a lot further than a direct frontal (site) assault.

Trust, but verify!
LOL

6 Likes

In case the point got missed:
You can delegate the required DNS TXT record to any other DNS system on the Internet.
[including a DNS server that you operate yourself - if you are anywhere near as paranoid as I am, you would be running all your DNS yourself - I do]
That means, even with whatever (lousy) DSP, you can still use DNS-01 authentication and obtain wildcard certs and renew them automatically.

7 Likes