Public logging of requesting IP addresses


#1

The privacy policy states that IP addresses involved in validation will be logged, and that these logs may be publicly shared (see this thread from 2017).

I believe that the addresses are currently not being disclosed publicly - is that correct? I think changing that will surprise many users. Will there be an announcement sent to subscribers if/when Let’s Encrypt actually starts publishing the IP addresses? (As pointed out in the last thread, this can be problematic for people who are trying to avoid disclosing their actual IP address to protect against DDoS.)


#2

I can’t speak for future plans, but:

That’s correct.


#3

We would certainly make an announcement before making any changes related to this data.


#4

I just want to note that this would likely require GDPR controls as well :wink:

While I 100% understand and generally support doing this for HTTP-01 authorization, as mentioned in the other thread this can be a nightmare for DNS-01 authorization which is more-likely to have an ‘office’ request the certs and then deploy them into the cloud. I generally have good DDOS protection on the networks my web properties are on, and those facilities/networks have a dedicated staff I can quickly get in touch with for a situation like this. My office connection does not have any of those things.

It would be nice if LetsEncrypt were able to limit the ip-log access to “approved” researchers and academic institutions OR if the ip+domain data were anonymized/hashed with a secret salt.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.