HackedShould you use Let's Encrypt for internal hostnames?

Should you use Let’s Encrypt for internal hostnames?


- Advertisment -

Julien Savoie has written a brilliant post explaining how you can enable https on your intranet.

This is useful for several reasons. It means your employees aren’t constantly fighting browser warnings when trying to submit stuff internally. All your http traffic is encrypted. You don’t need to install a self-generated root certificate on devices. Lovely!

But there’s a downside. Every TLS certificate created by Let’s Encrypt is recorded in a Certificate Transparency log. These CT logs are primarily to detect maliciously or mistakenly issued certificates. For example, you can look through them and see that someone unauthorised has created a cert for your domain – or its sub-domains.

But there is a downside. The CT logs are public and can be searched. Here’s all the certificates issued for Twitter’s sub-domains.

There are a few ways that this can be dangerous for use with internal services.

- Advertisement -

Firstly, it aides reconnaissance for attackers. Having a “map” of your internal infrastructure is useful. Especially if you have “obviously” named servers like exchange.example.com or customerdata.example.com. Also handy for social engineering – who else but someone internal would know that gandalf.example.com was a valid server?

Secondly, it might expose some vulnerabilities – depending on how you name things. Let’s hope you don’t have log4j.example.com!

Thirdly, there’s the potential for espionage. Do you want your competitors knowing that you’ve got olympics-campaign.staging.example.com?

I’m sure you can think of a few other ways this could be used for mischief and mayhem.

As I wrote a few years ago, “There’s no HTTPS for the Internet of Things“. Internal networks which only have IP addresses cannot use TLS certificates. OK, so you decide to have an internal DNS – now the whole world knows you have doorbell-model-xyz.myhome.example.com!

- Advertisement -

The only real answer to this is to use Wildcard Certificates. You can get a TLS certificate for *.internal.example.com

This requires setting up a DNS-01 Challenge – which can be more difficult to configure and has some non-obvious risks. And, sadly, Wildcard certificates come with their own difficulties.


I don’t think there’s a good solution to this.

  • Self-signed certificates require something to be installed on all clients. Not always possible with BYOD.
  • Named LE certificates expose details of your infrastructure which you may wish to keep private.
  • Wildcard certificates require a heightened level of co-ordination and management.

These problems have all been discussed before. But I can’t help but wishing that there was something obvious I’m missing.

How would you solve this knotty problem?

- Advertisement -

Join the pack! Join 8000+ others registered users, and get chat, make groups, post updates and make friends around the world!
Read More

- Advertisement -

1 Comment

  1. Several comments here mention running your own CA. Maybe that could be a signed intermediate CA with the Name Constraint extension [0] (and critical bit?), but one roadblock on this path is that allegedly Apple devices do not support that extension (edit: actually this was fixed! see reply). You there, @ LetsEncrypt?

    To address the article a recent related discussion, "Analyzing the public hostnames of Tailscale users" [1], indicates in the title one reason you might not want to use LE for internal hostnames. There was a discussion about intermediate CAs there as well [2] with some more details.

    [0]: http://pkiglobe.org/name_constraints.html

    [1]: https://news.ycombinator.com/item?id=29579806

    [2]: https://news.ycombinator.com/item?id=29614971

You might also likeRELATED
Recommended to you

Facebook Exec Says Society to Blame, No longer Facebook

Longtime Facebook veteran Andrew Bosworth insists that political and COVID-19 misinformation are societal problems rather than issues that have been magnified by social networks.Why it matters: Critics say Facebook and other social networks have played a significant role in vaccine hesitancy and the spread of political misinformation."Individual humans are the ones who choose to believe…

Tools to perform load/stress test

Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.Do you know...

Show HN: Lisp with GC in 436 Bytes

December 18th, 2021 @ justine's web page SectorLISP now supports garbage collection. This is the first time that a high-level garbage collected programming language has been optimized to fit inside the 512-byte boot sector of a floppy disk. Since we only needed 436 bytes, that means LISP has now outdistanced FORTH and BASIC to be…

Recording 660FPS Video on a $6 Raspberry Pi Camera (2019)

2019-08-01 - By Robert Elder      This article will discuss the setup steps that are required for recording videos at high frame rates on cheap Raspberry Pi cameras.  Frame rates up to 660FPS on the V1 camera and up to 1007 on the V2 camera can be achieved.  Filming at these extremely high frame rates on…
- Advertisement -

Thich Nhat Hanh, Vietnamese Zen Master, Dies at 95

Thich Nhat Hanh at the Plum Village monastery in southern France | Courtesy Plum Village Community of Engaged Buddhism Vietnamese Zen Master Thich Nhat Hanh—a world-renowned spiritual leader, author, poet, and peace activist—died on January 22, 2022 at midnight (ICT) at his root temple, Tu Hien Temple, in Hue, Vietnam. He was 95. “Our beloved…

Before wave of train thefts, Union Pacific laid off some of its police force

News organizations both locally and nationally have been covering the rise of cargo theft in L.A.’s northeast train tracks in the past few days. Anchors on morning news have been quick to point out that there have been over 100 arrests, and even Forbes have been quick to point out the staggering $5 million worth…

Must read

Eafa framework (Easy automation for all)

About Eafa framework (Easy automation for all) - Power of Cucumber: created by using Cucumber, Selenium and Java mainly to help testing community so that they can automate any application without professional coding skills. knowledgetester.files.wordpress.com/2018/04/psqc18_salmansaeed_powerofcucumber1.pdf Resources Readme Stars 0 stars Watchers 0 watching Forks 0 forks Releases No releases published Packages No packages published Languages…
- Advertisement -