undefined | Better HN

0 pointsrobryk10y ago0 comments

An interesting usecase of wildcard certs: when I do not want to publish the hostnames I am using. Sandstorm[1] uses unpredictable hostnames as one mitigation against various cross-origin attacks -- if the attacker doesn't know the domain of the app, he can't try to use XSRF against it[2].

[1] https://sandstorm.io [2] https://docs.sandstorm.io/en/latest/using/security-practices...

0 comments

icebraining10y ago

If you are willing to only accept SNI enabled clients (the vast majority nowadays), you can achieve the same by having one cert issued per subdomain, then configuring the web server/reverse proxy to use them.

There are a few existing Nginx configs for that (search for "nginx dynamic ssl cert").

schoen10y ago

I think there are other problems for doing this for Sandstorm. One is the delay when starting to use a new hostname (right now Let's Encrypt might take around 20 seconds to issue a new hostname, which may well increase to the originally-predicted one minute eventually), while another is that all Let's Encrypt certificates are published, so if you really want the hostname to be completely unknown to an attacker, the individual Let's Encrypt certs wouldn't work.

Anyway, Sandstorm developers told me that they wouldn't plan on using Let's Encrypt while it doesn't offer wildcards, so I think we are missing out on supporting this use case.

robrykOP10y ago

Certs are published in certificate transparency logs, which would make the hostnames public.

discreditable10y ago

Any level of reliance on hostnames being secret seems like a very poor design decision.

kentonv10y ago

It's a mitigation strategy for other bugs, not a first-line defense. Read the doc before passing judgment.

j / k navigate · click thread line to collapse