Public certificate hostnames

I think there is a small problem with the list.

You unintentionally exposed a whole lot of subdomains. For example (<number of subdomains> <domain>)

Another bad thing you exposed are some phpmyadmin subdomains which where surely supposed to be hidden from public like phpmyadmin89g7dioj3k4sd.example.com.

I guess you should remove caa-rechecking-incident-affected-serials.txt.gz from public access asap and notify at least the above mentioned parties on the leak.

1 Like

You know… they where public already.

7 Likes

Thanks for the report @seiji! As @9peppe says, we log all hostnames in public Certificate Transparency logs, as all CAs are required to to be trusted in Chrome. Even though the hostnames you mentioned are long and random, they are not intended to be secret - they are intended to avoid collisions. Still, I appreciate you noticing and informing us.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.