Request for Wildcard


#1

Hi Folks,

I feel that wildcards would be a very good idea on the basis of security.

I have been watching the project since its inception and believe the concept is crucial in todays modern world.
I have started using this service for my personal domain which I use as a hobby for development to host my personal email and own cloud storage.

Now that I have explained the back ground, the reason I believe that this is beneficial for security is;
My sub-domains are not publicly listed which hide them from the outside world but because they have to be specified in the cert anyone can open the cert and see what I am protecting.
This allows for new attacks to take place where as a wildcard would keep them hidden from those who wish to cause harm.

Thanks for your consideration,
Davren


#2

@davren From a security point of view, wildcards certificate can decrease the security too, in case of multiple host, due to the risk of misconfiguration allowing “virtual host confusion attacks” : https://bh.ht.vc/vhost_confusion.pdf


#3

Hi @davren,

This was fairly extensively discussed in the past at


Most recently we said that we were waiting to see what the ACME WG at IETF had to say about this. I’m not sure if that’s still the most current information.


#4

I manage a multi-tenant SaaS, and that use-case has been mentioned. However, neither of those threads mentioned specifically that a wildcard certificate is necessary in order to conceal valid subdomains. In this case it’s not just a matter of convenience, but of security.

As an example, if “Company 5” signs up for a service at example.com, they may receive an address of https://company5.example.com. When they visit, they’re required to login. If someone visits an invalid subdomain (e.g. https://company7.example.com), the connection fails, telling the user that this is not a valid subdomain.

In this way, a malicious user is able to deduce which subdomains are valid accounts and which are not. With a wildcard, we’re able to present the same login dialog even for invalid subdomains, albeit they would never be able to successfully login.

Thanks for reading.


#5

@acicali, Pardon my ignorance, but do let me know why is it a security threat to expose that a particular subdomain is invalid?


#6

One idea is that it reveals who the customers are (maybe if https://tesla.example.com/ works and https://lenovo.example.com/ doesn’t, then Tesla is a customer but Lenovo isn’t).

Another idea is that it would help for targeting attacks, because attackers who know what subdomains were or weren’t valid wouldn’t waste their time trying to guess or steal passwords for a nonexistent service. With the wildcard approach, the attackers may not know exactly why their guesses failed, so they don’t gain an advantage in prioritizing them (although the service operator would have to be quite careful about making different-cause failures consistently take the same amount of time and display exactly the same error, for every resource that’s accessible to non-logged-in users!).


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.