Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I was under the impression you could flag your domain to not be in cert transparency logs. Security through obscurity is generally considered a bad idea (to which I think exceptions or nuance exist), but the likelihood of dns names being burnt via other mechanisms (isps/‘security’ products and platforms logging dns requests and selling them being a reasonable assumption).


I don’t believe this is true. CT is wholly encompassing by design: if you could somehow opt out, an attacker could use that mechanism to bypass CT.

(As far as I know, the only way to “opt out” is to use a wildcard to obscure the true subdomain being accessed.)

Edit: from a quick look online, CT became mandatory for CA issued certificates in the Web PKI in 2018.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: