Most active commenters

    ←back to thread

    Ask HN: How did the internet discover my subdomain?

    287 points govideo | 18 comments | 06 Mar 25 22:34 UTC | HN request time: 1.097s | source | bottom

    I have a domain that is not live. As expected, loading the domain returns: Error 1016.

    However...I have a subdomain with a not obvious name, like: userfileupload.sampledomain.com

    This subdomain IS LIVE but has NOT been publicized/posted anywhere. It's a custom URL for authenticated users to upload media with presigned url to my Cloudflare r2 bucket.

    I am using CloudFlare for my DNS.

    How did the internet find my subdomain? Some sample user agents are: "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com", "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7; en-us) AppleWebKit/534.20.8 (KHTML, like Gecko) Version/5.1 Safari/534.20.8", "Mozilla/5.0 (Linux; Android 9; Redmi Note 5 Pro) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36",

    The bots are GET requests which are failing, as designed, but I'm wondering how the bots even knew the subdomain existed?!

    Show context
    yatralalala ◴[07 Mar 25 12:49 UTC] No.43289743[source]
    Hi, our company does this basically "as-a-service".

    The options how to find it are basically limitless. Best source is probably Certificate Transparency project as others suggested. But it does not end there, some other things that we do are things like internet crawl, domain bruteforcing on wildcard dns, dangling vhosts identification, default certs on servers (connect to IP on 443 and get default cert) and many others.

    Security by obscurity does not work. You can not rely on "people won't find it". Once it's online, everyone can find it. No matter how you hide it.

    replies(13): >>43289843 #>>43290143 #>>43290420 #>>43290596 #>>43290783 #>>43292505 #>>43292547 #>>43292687 #>>43293087 #>>43303762 #>>43309048 #>>43317788 #>>43341607 #
    1. monkaiju ◴[07 Mar 25 15:27 UTC] No.43290905[source]
    This is the most confidently incorrect post I've seen in a long time.
    replies(3): >>43291000 #>>43291007 #>>43291214 #
    2. crazygringo ◴[07 Mar 25 15:31 UTC] No.43290951[source]
    > “Security through obscurity” is the only security there is.

    > Encryption obscures data.

    I don't think you understand what "security through obscurity" means. What encryption does is literally the opposite of obscure, in this context. It is out in the open and documented. And the same with the rest of your examples.

    replies(1): >>43291184 #
    3. MyOutfitIsVague ◴[07 Mar 25 15:37 UTC] No.43290999[source]
    That's not what that phrase means. That's not even what the word "obscure" means. Obscurity is trying to not draw attention to something, or keep it hidden (as in "nobody knows that it's there", not "you know that it's there but can't access it"). Encryption doesn't obscure data unless you're stretching the definition of the word beyond its useful purpose.
    replies(3): >>43291017 #>>43291091 #>>43291455 #
    4. xunil2ycom ◴[07 Mar 25 15:37 UTC] No.43291000[source]
    seriously.
    5. elliotbnvl ◴[07 Mar 25 15:37 UTC] No.43291007[source]
    Actually it’s quite correct.
    6. purkka ◴[07 Mar 25 15:38 UTC] No.43291016[source]
    "Security through obscurity" can definitely be defined in a meaningful way.

    The opposite of "bad security through obscurity" is using completely public and standard mechanisms/protocols/algorithms such as TLS, PGP or pin tumbler locks. The security then comes from the keys and other secrets, which are chosen from the space permitted by the mechanism with sufficient entropy or other desirable properties.

    The line is drawn between obscuring the mechanism, which is designed to have measurable security properties (cryptographic strength, enumeration prevention, lock security pins), and obscuring the keys that are essentially just random hidden information.

    Obscuring the mechanism provides some security as well, sure, but a public mechanism can be publicly verified to provide security based only on secret keys.

    7. elliotbnvl ◴[07 Mar 25 15:38 UTC] No.43291017[source]
    verb: keep from being seen; conceal.

    In what way is what he’s describing not obscurity?

    replies(6): >>43291146 #>>43291167 #>>43291173 #>>43291201 #>>43291220 #>>43291341 #
    8. cnity ◴[07 Mar 25 15:50 UTC] No.43291146{3}[source]
    It is about the existence or the methodology being obscured, not the contents of an encrypted message. The point of that phrase is to contrast one type of security for another. You and I can know exactly what tool was used to encrypt something, and all the mathematics behind it, but still fail to decrypt it without the requisite private key.
    9. DrammBA ◴[07 Mar 25 15:53 UTC] No.43291167{3}[source]
    In every way, because context matters, and the original commenter intentionally recontextualized it just to be contrarian.
    replies(1): >>43291309 #
    10. dghlsakjg ◴[07 Mar 25 15:54 UTC] No.43291173{3}[source]
    Yes that is what the word obscure means.

    But the phrase “security through obscurity” is an industry term that refers to keeping things secure purely by not letting people know they exist.

    In contrast with encryption, where I can tell you exactly where the encrypted data is, but you can’t access it.

    Security through obscurity is hiding a bicycle in a bush and hoping no one notices it, encryption is more like locking it to a bike rack with a very good lock.

    replies(1): >>43291256 #
    11. MyOutfitIsVague ◴[07 Mar 25 15:56 UTC] No.43291201{3}[source]
    Two points:

    1. Encrypted data is not hidden. You still know that there is data, it's just in a form that you can't understand. Just as difficult higher-level math isn't "obscured" from a non-mathematician (who knows that it is math, but can't decode it), encrypted data is not obscured.

    2. You could make the argument that the data is actually hidden, but the fact that data is there is not hidden. This is pointless pedantry, though. It is both contrary to the way that everybody uses the word and stretches the meaning of the word to the point that it's not useful. There is a common understanding of what "Security through obscurity" means ( https://en.wikipedia.org/wiki/Security_through_obscurity ) and interpreting it far beyond that is not useful. It simply breaks down communication into annoying semantic arguments. I enjoy semantic arguments, but not tedious, pedantic ones where one person just argues that a word isn't what everybody understands it to mean.

    More specifically, it's about WHAT is being obscured. "Security through obscurity" is about trying to be secure by keeping the details or mechanisms of a system secret, not the data itself.

    replies(1): >>43298436 #
    12. Minor49er ◴[07 Mar 25 15:58 UTC] No.43291220{3}[source]
    This was explained in the third sentence of the post that you're responding to
    13. ewmiller ◴[07 Mar 25 16:10 UTC] No.43291341{3}[source]
    You wouldn’t call a room behind a locked door “obscured.” Even if it’s technically correct in the most stretched definition (which I’m not convinced of), either way it’s not how people actually use the word.
    14. morellt ◴[07 Mar 25 16:17 UTC] No.43291412[source]
    Semantics. Considering this is your first comment ever and your account was made an hour ago I'll assume this is ragebait
    15. dijksterhuis ◴[07 Mar 25 16:27 UTC] No.43291524[source]
    encryption obfuscates data, as in the data is completely illegible unless you have the proper keys

    > To make so confused or opaque as to be difficult to perceive or understand

    https://www.thefreedictionary.com/obfuscate

    obscuring data is different, it’s about hiding it from view or minimising the likelihood of it being found.

    > To make dim, indistinct, or impossible to see

    https://www.thefreedictionary.com/obscure

    they are two wholly different actions.

    > Tiered access controls obscure who can do what in the system.

    i’ve seen plenty of examples where an access control system explicitly says what role/tier is required. access control is for “trust” management (who do we trust with what).

    16. KaiserPro ◴[07 Mar 25 16:31 UTC] No.43291559[source]
    If we are going to go down this road, I want to call it occult security, because its sounds much more sexy, and its more accurate. you are casting spells and incantations to hide things from the world.
    17. LaGrange ◴[07 Mar 25 16:57 UTC] No.43291819[source]
    Actually it's just too short. To be complete, it would have to be like "security through obsurity _OF THE MECHANISM_."

    Which basically means it was always a shit saying, like most fancy quips were.

    18. genewitch ◴[08 Mar 25 08:02 UTC] No.43298436{4}[source]
    Running your SSH server on port 8822 is security through obscurity.

    Port knocking isn't, I don't think.