Transparency logs for wildcard subdomains and expired certs

I read an interesting thread here about how letsencrypt and other major CAs log all certs publicly.

  1. When a cert expires, is it still available to the public - or is it only active certs that are visible?

  2. Also, that thread explained that all subdomains will sooner or later be added to the public certs registry, because Google’s crawlers will find them. But what about a wildcard cert, e.g. the subdomain in foobarbazqux.example.com is known only to the domain’s owner… Will those wildcard subdomains also somehow be logged?

1 Like
  1. All certificates are forever stored in the transparency log. They will exist there forever.

  2. Certificates are submitted by the Certificate Authority to the log, Chrome doesn’t trust certificates that aren’t logged so all CAs submit them now. Thus even unknown, random subdomains will be logged.

NOTE: Not all CAs submit to all logs, I’m not an expert on the subject but I believe CAs only have to submit them to a few logs that are trusted by browsers. (2 or more?)

For instance the cert on this site is in the Let’s Encrypt Oak 20200 log and Google “Xenon2020” log

2 Likes

Thanks. There is something I don’t understand though about (2)…

If my domain uses a wildcard cert, then the only one who knows about its subdomains is me.

Assuming I never publicize those subdomains (e.g. they are for internal use by the company), how would they be discovered and logged?

2 Likes

I misread your post. With the wildcard you are correct. you could have a subdomain asllkhasdf.example.com covered by a wildcard and it may never be discovered. Although I don’t suggest relying on security by obscurity.

2 Likes

No. The CT logs contain certificates, and wildcard certificates don’t contain your subdomains.* If you only use wildcard certificates, your subdomains would not appear in the CT logs.

The post in the other thread just meant that it was difficult to avoid your certificates getting logged, and it was talking about a situation where you were not using wildcards. (In 2016, many CAs did not automatically log their certificates, and browsers did not usually mandate CT use. The circumstances are a lot different today.)

It’s still hard to keep subdomains entirely secret, even without regard to TLS and certificates. Passive DNS databases are likely to pick them up, for example.

* Well, certificates can contain a mixture of wildcards and non-wildcards, if you choose to do that.

3 Likes

Thanks @mnordhoff that makes sense.

Of course the easiest leak possible is someone who uses the intranet (which is using a subdomain on a wildcard cert) accidentally pastes it in an email, which goes round the internet, and some scraper somewhere reads it and logs it.

I guess you just can’t win! :laughing:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.