home tags events about login

one honk maybe more

benjojo posted 31 Oct 2023 19:55 +0000

Ahh yes, the feeling of issuing a TLS cert and watching all of the bots (that just learned about my hostname via Certificate Transparency PreCerts) racing and climbing over each other to be the first one to fuck up whatever application they are looking for.

Go bots! Go!

cks@mastodon.social replied 01 Nov 2023 01:29 +0000
in reply to: https://abyssdomain.expert/users/filippo/statuses/111332314131370529

@filippo @benjojo As a sysadmin, I feel torn. On the one hand, a delay might help me if my new server could have issues (but someone might hit it anyway, depending). On the other hand, a delay hurts me if someone has gotten a certificate for one of my hosts, since they have 24 hr+ to use the certificate.

(I tend to come down on the side of 'publish now' in the end, partly because I've seen new web servers get hit right away even before CT logs.)

benjojo replied 01 Nov 2023 12:14 +0000
in reply to: https://noc.social/users/29821632/statuses/111334170893124400


In general yeah, you should be doing wildcard cert. But also in general, if the DNS name being unknown was the only thing that was keeping bad things from happening, you are in some seriously bad shape :)

[Full disclosure: I'm not really a neutral player in this debate, since bgp.tools uses some of this stuff to it's advantage]

benjojo replied 01 Nov 2023 12:17 +0000
in reply to: https://mastodon.social/users/cks/statuses/111332699828747197

@cks @filippo @erincandescent IMHO there is likely a good argument for a mid-way 1hr delay.

Solves the "I just setup PHPMyAdmin an- oh it's gone" problem, while not delaying the process of notifications by too much.

All of this is made quite brutual by "AutoCert" based stuff, where certs are issues far far faster than the infra behind the cert can safely take requests (then there is another argument on "why is your setup.php file unsafe by default")