I feel that wildcards would be a very good idea on the basis of security.
I have been watching the project since its inception and believe the concept is crucial in todays modern world.
I have started using this service for my personal domain which I use as a hobby for development to host my personal email and own cloud storage.
Now that I have explained the back ground, the reason I believe that this is beneficial for security is;
My sub-domains are not publicly listed which hide them from the outside world but because they have to be specified in the cert anyone can open the cert and see what I am protecting.
This allows for new attacks to take place where as a wildcard would keep them hidden from those who wish to cause harm.
@davren From a security point of view, wildcards certificate can decrease the security too, in case of multiple host, due to the risk of misconfiguration allowing “virtual host confusion attacks” : https://bh.ht.vc/vhost_confusion.pdf
This was fairly extensively discussed in the past at
Most recently we said that we were waiting to see what the ACME WG at IETF had to say about this. I'm not sure if that's still the most current information.
I manage a multi-tenant SaaS, and that use-case has been mentioned. However, neither of those threads mentioned specifically that a wildcard certificate is necessary in order to conceal valid subdomains. In this case it’s not just a matter of convenience, but of security.
As an example, if “Company 5” signs up for a service at example.com, they may receive an address of https://company5.example.com. When they visit, they’re required to login. If someone visits an invalid subdomain (e.g. https://company7.example.com), the connection fails, telling the user that this is not a valid subdomain.
In this way, a malicious user is able to deduce which subdomains are valid accounts and which are not. With a wildcard, we’re able to present the same login dialog even for invalid subdomains, albeit they would never be able to successfully login.
Another idea is that it would help for targeting attacks, because attackers who know what subdomains were or weren’t valid wouldn’t waste their time trying to guess or steal passwords for a nonexistent service. With the wildcard approach, the attackers may not know exactly why their guesses failed, so they don’t gain an advantage in prioritizing them (although the service operator would have to be quite careful about making different-cause failures consistently take the same amount of time and display exactly the same error, for every resource that’s accessible to non-logged-in users!).