Opt-out of Certificate Transparency


#1

Hello! :wave:

I don’t want certain sub-domain names to appear on the certificate transparency (CT) log. Any TLS server can serve different content based on SNI, and so do web servers based on the HTTP Host: header. This also makes it possible for a single server to act as a gateway for multiple domains.

Having these domain names on the public CT log has made it possible for (potentially malicious) parties to know about the existence of these domains whereby they have probed these domains for vulnerabilities. Without this knowledge they would not have been able to access these machines behind a gateway. It seems most probable that the attackers learned the domain names from the public CT log.

Would it possible to opt-out of certificate transparency (CT) for certificates for certain domains? I know there are other channels whereby a potential adversary could learn about these domains, but in practice, obscurity does have certain benefits for some cases. I don’t want to advertise the list of domains that can be accessed, probed or attacked.

Thanks!


#2

CT logging will be mandatory for all CAs at the end of April I believe.

I know that before Digicert took over, Symantec provided the ability for customers to submit redacted pre-certificates, providing the ability to hide subdomains of the registered domain, e.g:

https://crt.sh/?id=153997935

However I’m not sure whether this is acceptable under the new rules, it wasn’t clear from the mailing lists when I looked into it.

I think that CT logs are certainly a real threat to organizations. e.g. https://crt.sh/?q=%.transport.nsw.gov.au reveals tonnes of information about internal infrastructure that would be otherwise borderline impossible to map. It’s no wonder that pretty much every subdomain mapping tool used in infosec (i.e. anubis) heavily leans on CT logs now.

So your concern should be taken seriously by CAs, including Let’s Encrypt.


#3

You can use wildcard certificates to avoid advertising the list of your subdomains.

Other than the fact that CT will be mandatory (at least for Chrome), publishing all certificates to CT increase the accountability of the CA.

If you don’t care about the validity of your certificate for devices you don’t control, you can set-up a private hierarchy with your own root that you install on your devices.


#4

I’m sure Let’s Encrypt personnel will speak up for themselves, but I would anticipate their answer will be “No”.

From a UX point of view such an option is likely to cause trouble because the non-logged certificates are probably going to get distrusted, Google already has the capability to do this in Chrome, Mozilla is developing the capability in Firefox. So once that happens unlogged certificates mysteriously “don’t work” and I think we can assume that means extra Help threads every morning from people who’ve decided they don’t want logging and then are surprised to discover their certificates don’t work…


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.