cross-posted from: https://lemmy.ml/post/14100831

"No, seriously. All those things Google couldn’t find anymore? Top of the search pile. Queries that generated pages of spam in Google results? Fucking pristine on Kagi – the right answers, over and ov

  • foggy@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    11
    ·
    9 months ago

    Free certificates expose your subdomains. It’s not more secure if you don’t transact data in a meaningful way such as the example I provided.

    I don’t mean to insinuate that the example I provided is the majority of cases, and in the majority of cases, I do support sites with SSLs being indexed higher than websites without them, but I think the interstitial this website is not secure with the requirement of the advanced click followed by The continue anywaysclick…

    Idk

    Especially in 2018. Like, when we look at it from today’s perspective, it’s very easy to agree. And I do agree. But in 2018, it was not this way. Anyone who was a web developer with a bunch of clients, such as myself, was all the sudden in a very interesting hot seat. Not only did I need to try to upsell my clients, but I needed to convince them that not doing so was quite literally at their peril. It was difficult. And certain cases, it was impossible.

    • AnActOfCreation@programming.dev
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      9 months ago

      If your subdomains being public is a security issue then I’d argue something else is wrong. Otherwise you’re using security through obscurity.

      But I appreciate the insight and I see how this was a harder sell back when it happened. Thanks!

      • foggy@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        3
        ·
        9 months ago

        Not necessarily. Let’s say you’re a known contributor to a closed source project. You don’t want people knowing you have a locally hosted gitlab instance at gitlab.mydomain.com, for example.

        • ReveredOxygen@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          9 months ago

          If that’s the case, you shouldn’t have one on your domain. If someone wants to know your subdomains, they can still brute force them

    • unautrenom@jlai.lu
      link
      fedilink
      English
      arrow-up
      3
      ·
      9 months ago

      Expose your subdomains as in having all of them bundled into one certificate?

      AFAIK, you absolutely can request different certs for each subdomain (in fact, that’s what I’ve been doing for a while).

      • foggy@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        4
        ·
        9 months ago

        No, as in they are public record.

        If you use a wildcard let’s encrypt SSL to encrypt www.mydomain.com and VPS.mydomain.com and secret.mydomain.com and allmyporn.mydomain.com, and Plex.mydomain.com, and gitlab.mydomain.com

        Then it is public record that mydomain.com has associated with it the CNAMES “www” “VPS” “secret” “allmyporn” “Plex” and “gitlab”.

        It can be looked up by anyone here. Just type in “%.yourdomain”

        That is to say if you use a wildcard letsencrypt SSL on all your subdomains for you self hosting project, you’re more exposed than want to be.

        • Saik0@lemmy.saik0.com
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          2
          ·
          9 months ago

          No it’s not. I have several wildcards. Your tool doesn’t show any of the subdomains i have then used on. Go hit %.saik0.com and show me where lemmy.saik0.com shows up. I’ll wait.

            • Saik0@lemmy.saik0.com
              link
              fedilink
              English
              arrow-up
              7
              arrow-down
              3
              ·
              edit-2
              9 months ago

              Bro check again… This time actually follow instructions.

              Search for LEMMY.SAIK0.COM… Notice it’s not there even though my instance clearly exists and has an SSL cert.

              What you’re seeing is certs from over a year ago. You’re seeing domains I registered specifically. eg… not ones I’ve associated with a wildcard.

              Next time make sure you’re actually right before you act so confident.

              Here’s a list of subdomains that are under a wildcard SSL cert… That will not show up in that list since they were never registered for their own cert and only EVER operated under the wildcard one.

              convert.saik0.com
              esign.saik0.com
              lemmy.saik0.com
              wordgame.saik0.com
              yt.saik0.com

              And there’s plenty more I could point out. But if you follow instructions and actually search, you’ll see that those do exist as accessible subdomains and do not show up in the crt.sh tool.

              Edit: LMFAO so you downvoted me… checked my shit and realized that you’re wrong. Deleted your message and kept your downvote in place.

              Edit2: For those coming after the fact and maybe not liking my initial tone at the top there. I mirrored the tone they posted in.

    • Bogasse@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      8 months ago

      While I agree the issue you raise does make sense in some situations, it derivates from the initial concern : if you don’t want your domain listed in a DNS record you certainly don’t want it to be indexed by a search engine :p