[security] Strange probing behavior uppon issuing a certificate


Since last week I noticed that everytime I use certbot to get a certificate for nginx I instantly receive some strange requests on the domain name coming from a TOR exit node IP.
Here is an extract : - - [03/Jul/2019:18:53:17 +0000] "GET /.git/config HTTP/1.1" 200 178 "https://domain-that-just-got-a-new-cert/.git/config" "Go-http-client/1.1"

Is this a known probing practice ?
Is the certificate transparency log updated this quickly ?

1 Like

I don’t know about instant, but I’m used to getting a bunch of DNS queries within a couple minutes of issuing a certificate. I don’t think I usually get HTTP traffic.

FYI, there’s a CT feed you can stream live at https://certstream.calidog.io/. I don’t know how up-to-the-second it is, but it’s close.

1 Like

Ok so it’s technically doable using the CT stream.
Now I’d like to know if this is widespread or because one of my domain is a “target”…
I guess it can be dangerous if a website is still being deployed and dot files like the .git folder are still accessible.

Hi @zeroware

if you have a webserver, it's a target. It's completely unrelevant if you have a small or a big website. Or no website.

There are requests about every Software (Wordpress, Joomla, Drupal etc.), every standard management system, git files ...

So you have to secure your site.

There is no invisible webserver.

Yes I am aware of this but this time it’s so quick that even the installed software may not have time to “warn” you of possible unsecure configuration.

Never let an insecure/unsecured website accessible on the world wide web. Ever.

Does anybody know what happened to precertificate redaction (https://tools.ietf.org/html/draft-strad-trans-redaction-01)? Symantec did end up implementing it for some time (for their own logs), before Digicert took them over. It was an effective defence against all these reconnaissance/exploitation tools. I’d be happy to see its return.

There were many long discussions about the utility and feasibility of redaction, I think on the cabfpub mailing list. Chrome concluded that redaction broke the premise of CT too much for a variety of reasons, and Chrome CT policy does not allow for redaction. Presumably Apple’s policy is the same way.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.