←back to thread

Should you use Let's Encrypt for internal hostnames?

(shkspr.mobi)
238 points edent | 5 comments | 05 Jan 22 12:42 UTC | HN request time: 1.99s | source
Show context
marcosdumay ◴[05 Jan 22 17:23 UTC] No.29811898[source]
I will never understand the obsession people have with hiding their private server names.

If somebody gets any access to your local network, there are plenty of ways to enumerate them, and if they can't get access, what's the big deal?

I get that you may want to obfuscate your infrastructure details, but leaking infrastructure details on your server names is quite a red flag. It should really not happen. (Instead, you should care about the many, many ways people can enumerate your infrastructure details without looking at server names.)

replies(6): >>29812502 #>>29812557 #>>29813436 #>>29813580 #>>29814316 #>>29818673 #
1. jon-wood ◴[05 Jan 22 17:59 UTC] No.29812502[source]
One of the examples given wasn't a server name, it was leaking potentially confidential information via the domain olympics-campaign.staging.example.org - in many environments its fine if people know project names, but NDAs are a thing, and you could end up in hot water if you accidentally leak a partnership between two companies before it's been announced.
replies(1): >>29812726 #
2. marcosdumay ◴[05 Jan 22 18:14 UTC] No.29812726[source]
Well, if instead of making a lot of effort in hiding your names you just didn't, you wouldn't use a name like that.

Every single person that connects to any of your networks (very likely the sandboxed mobile one too) can find that name. Basically no place hides it internally. There is very little difference between disclosing it to thousands of the people that care the most about you and disclosing it to everybody on the world.

replies(1): >>29813148 #
3. ttyprintk ◴[05 Jan 22 18:44 UTC] No.29813148[source]
The other examples are better. Say a never-before-seen name appears, cisco520.internal.foo.bar. Suddenly, a well-formed email appears, “Re: Cisco Support Ticket #7779311” about some additional steps to provision your new appliance. It is trivial to automate that phish by crawling the CT log.
replies(1): >>29813880 #
4. marcosdumay ◴[05 Jan 22 19:43 UTC] No.29813880{3}[source]
Is this valuable enough to resist every real advancement in network security since the late 00's? Because for each one of them it's certain that people will pop-up making a lot of noise about hidden server names.

It's mostly because of them that DNS is still not reliable. Well, at least this article isn't against certificate transparency, just about how to avoid it.

replies(1): >>29816600 #
5. ttyprintk ◴[05 Jan 22 23:16 UTC] No.29816600{4}[source]
I don’t think anyone is arguing that Certificate Transparency defeats “every real advancement in network security”. If you want to avoid your internal hostnames, and maybe Subject and SAN, ending up in LE, then you’re free to run your own CA.

But getting back to your parent post, maybe we can see a nontrivial real-world list of a big network to make sure it’s leaking nothing of value?