Since last week I noticed that everytime I use certbot to get a certificate for nginx I instantly receive some strange requests on the domain name coming from a TOR exit node IP.
Here is an extract :
I don’t know about instant, but I’m used to getting a bunch of DNS queries within a couple minutes of issuing a certificate. I don’t think I usually get HTTP traffic.
FYI, there’s a CT feed you can stream live at https://certstream.calidog.io/. I don’t know how up-to-the-second it is, but it’s close.
Ok so it’s technically doable using the CT stream.
Now I’d like to know if this is widespread or because one of my domain is a “target”…
I guess it can be dangerous if a website is still being deployed and dot files like the .git folder are still accessible.
Yes I am aware of this but this time it’s so quick that even the installed software may not have time to “warn” you of possible unsecure configuration.
Does anybody know what happened to precertificate redaction (https://tools.ietf.org/html/draft-strad-trans-redaction-01)? Symantec did end up implementing it for some time (for their own logs), before Digicert took them over. It was an effective defence against all these reconnaissance/exploitation tools. I’d be happy to see its return.
There were many long discussions about the utility and feasibility of redaction, I think on the cabfpub mailing list. Chrome concluded that redaction broke the premise of CT too much for a variety of reasons, and Chrome CT policy does not allow for redaction. Presumably Apple’s policy is the same way.