3

I am a customer of a cloud hosting provider (Cloudways). I create a new web site which gets a new automatically generated subdomain (like https://phpstack-xxxx-yyyy.cloudwaysapps.com/). I use Chrome on Windows 10 to set up the site. Within minutes of creating the new site I see in its access logs hits from the following IPs:

  • 65.154.226.168 ("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.71 Safari/537.36"),
  • 133.242.174.119 & 133.242.140.127 ("Mozilla/5.0 (Linux; U; Android 2.2; ja-jp; SC-02B Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"),
  • 193.169.244.228 ("Mozilla/5.0 (SymbianOS 9.4; Series60/5.0 NokiaN97-1/10.0.012; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) WicKed/7.1.12344").

[edited out what turns out to be unrelated problem]

The question:

  • How do I investigate where those leaks come from?
Sir Muffington
  • 1,611
  • 2
  • 13
  • 25
Marassa
  • 33
  • 4
  • 1
    Did the sites get a real individual HTTPS certificate (not a self-signed cert, not a wildcard certificate)? If so, the domain name is published on certificate transparency logs. – amon May 28 '22 at 14:07
  • That's it @amon - Cloudways uses letsencrypt to generate certificates and, as I just checked, the hits only appeared just after I ordered and installed the certificate. Your comment should be the accepted answer. Thanks a lot! – Marassa May 28 '22 at 15:46

1 Answers1

3

One common way how domain names become publicly known is through Certificate Transparency Logs.

When you request a certificate for HTTPS/TLS, the Certificate Authority will publish information about this certificate on a transparency log. This is a security measure to make sure no unexpected certificates have been issued, and is now also required by the Chrome browser to be recognized as valid. You can inspect logs e.g. via the crt.sh search engine.

Of course, other actors can subscribe to CT log updates and crawl any new domains that appear.

To manage the impact of CT logs:

  • Assume that everything on the internet is public – there is no security by obscurity
  • If you don't want to broadcast the existence of a domain, consider using self-signed certificates for development purposes (but don't rely on this as a security measure!)
  • For subdomains, you do not need separate certificates if you obtain a wildcard certificate. For example, you could cover a domain foo.example.com with a separate certificate, or with a wildcard covering *.example.com. However, Certificate Authorities might have different fees or challenges wildcard certificates.
amon
  • 1,346
  • 8
  • 9