Should you use Let's Encrypt for internal hostnames?

(shkspr.mobi)

238 points edent | 1 comments | 05 Jan 22 12:42 UTC | HN request time: 0s | source

Show context

marcosdumay ◴[05 Jan 22 17:23 UTC] No.29811898[source]▶

I will never understand the obsession people have with hiding their private server names.

If somebody gets any access to your local network, there are plenty of ways to enumerate them, and if they can't get access, what's the big deal?

I get that you may want to obfuscate your infrastructure details, but leaking infrastructure details on your server names is quite a red flag. It should really not happen. (Instead, you should care about the many, many ways people can enumerate your infrastructure details without looking at server names.)

replies(6): >>29812502 #>>29812557 #>>29813436 #>>29813580 #>>29814316 #>>29818673 #

ratcline ◴[05 Jan 22 18:02 UTC] No.29812557[source]▶

>>29811898 #

It's mainly mitigating exposure. Some possible vulnerabilities would be social engineering(i.e. it'd be easier to send a targeted phishing URL to gain recon on an employee of a company if you know an internal domain), or injection into a public facing service that has access to internal services.

replies(1): >>29813432 #

1. memer ◴[05 Jan 22 19:08 UTC] No.29813432[source]▶

>>29812557 #

So, security through obscurity?

↑