Get certificates unlisted

This is exactly what I do, obscurity is actually adding an extra layer of security, there is nothing wrong with that. I currently use joohoi/acme-dns service for everything I use and use different wild card certificates like * * ... for all my servers so they don't count towards a duplicate issuance limit.

This only applies in scenarios where "The effectiveness of obscurity in depends on whether the obscurity lives on top of other good security practices, or if it is being used alone. When used as an independent layer, obscurity is considered a valid security tool." (Quote Wikipedia).

As a counter-argument to your case, extensive use of wildcard certificate might significantly increase your vulnerability against ALPACA attacks, in particular if wildcards are being used cross-service.

Security by obscurity is a double-edged sword. It can harm you as much as it helps and should always be exercised with caution.


Interesting read and a good point.
Although I do think security through obscurity is passe, it can be updated and still used effectively especially when/if there is no overlap in wildcard coverages.
If you have:


And you secure all of them with one single wildcard, then you are not as paranoid as I am.
If, instead, you have three wildcard certs, then you are getting warmer.
If instead you use FQDNs that can't be overlapped [which require separate SAN enrties], like:


And you don't issue one single cert with all three wildcard entries in the SAN, then are you even much (more) warmer! Welcome to Miami! [where it is always warm] :beers:

And when you also use separate systems [be they, at least, VMs/containers within a single physical device] for each service, then you are getting hot!

Just my [free] two cents.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.