我的几个私人应用站点。已经运行一段时间。期间没有任何攻击者访问,当我申请SSL后,几分钟内就出现攻击者扫描,企图寻找我站点的漏洞。而没有申请SSL证书的却非常安静,并没有奇怪的访问者。
我记得以前看到过一个页面,上面会展示申请了Let’s Encrypt的域名。我认为攻击者是从那里获取域名,然后进行不友好的访问的。所以当我申请完证书,马上吸引他们对我的网站进行扫描和漏洞利用。
那个页面我现在找不到,但我确信之前是见过这样一个页面。希望可以避免暴露申请证书的域名。
Yes, this is a known attack vector for quite some time already.
This is not directly related to Let's Encrypt, but is applicable to all publicly trusted certificate authorities (CA) due to Certificate Transparancy Logs (which are mandatory to use).
All publicly trusted CAs need to publish all issued (pre)certificates to certificate transparancy logs. And due to the transparant nature of these logs, they are publicly accessible.
And unfortunately also malicious entities can use these certificate transparancy logs to look for newly issued certificates of newly installed software (e.g. WordPress or something like that).
These malicious entities can e.g. look for default passwords for yet unprotected web applications and hijack this software even before the user gets to change this default password.
It's an unfortunate side effect of these transparancy logs and most web applications have taken care of this attack vector by e.g. using randomised passwords in the onboarding phase.
4 Likes
好的,非常感谢您的回复。你让我知道原因。 
2 Likes
由於CT會公開你的域名信息
主站或許沒有任何的方法避免公開
但是子域名站點可以通過泛解析證書避免子域名被公開
例如*.letsencrypt.org
3 Likes