[security] Strange probing behavior uppon issuing a certificate


Since last week I noticed that everytime I use certbot to get a certificate for nginx I instantly receive some strange requests on the domain name coming from a TOR exit node IP.
Here is an extract : - - [03/Jul/2019:18:53:17 +0000] "GET /.git/config HTTP/1.1" 200 178 "https://domain-that-just-got-a-new-cert/.git/config" "Go-http-client/1.1"

Is this a known probing practice ?
Is the certificate transparency log updated this quickly ?

I don’t know about instant, but I’m used to getting a bunch of DNS queries within a couple minutes of issuing a certificate. I don’t think I usually get HTTP traffic.

FYI, there’s a CT feed you can stream live at https://certstream.calidog.io/. I don’t know how up-to-the-second it is, but it’s close.

1 Like

Ok so it’s technically doable using the CT stream.
Now I’d like to know if this is widespread or because one of my domain is a “target”…
I guess it can be dangerous if a website is still being deployed and dot files like the .git folder are still accessible.

Hi @zeroware

if you have a webserver, it’s a target. It’s completely unrelevant if you have a small or a big website. Or no website.

There are requests about every Software (Wordpress, Joomla, Drupal etc.), every standard management system, git files …

So you have to secure your site.

There is no invisible webserver.

Yes I am aware of this but this time it’s so quick that even the installed software may not have time to “warn” you of possible unsecure configuration.

Never let an insecure/unsecured website accessible on the world wide web. Ever.

Does anybody know what happened to precertificate redaction (https://tools.ietf.org/html/draft-strad-trans-redaction-01)? Symantec did end up implementing it for some time (for their own logs), before Digicert took them over. It was an effective defence against all these reconnaissance/exploitation tools. I’d be happy to see its return.

There were many long discussions about the utility and feasibility of redaction, I think on the cabfpub mailing list. Chrome concluded that redaction broke the premise of CT too much for a variety of reasons, and Chrome CT policy does not allow for redaction. Presumably Apple’s policy is the same way.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.