benjojo.co.uk

benjojo posted 12 Dec 2025 20:46 +0000

lol.

I minted a new TLS cert and it seems that OpenAI is scraping CT logs for what I assume are things to scrape from, based on the near instant response from this:

Dec 12 20:43:04 xxxx xxx[719]: 
l=debug 
m="http request" 
pkg=http 
httpaccess= 
handler=(nomatch) 
method=get 
url=/robots.txt 
host=autoconfig.benjojo.uk 
duration="162.176µs" 
statuscode=404 
proto=http/2.0 
remoteaddr=74.7.175.182:38242 
tlsinfo=tls1.3 
useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36; compatible; OAI-SearchBot/1.3; robots.txt; +https://openai.com/searchbot" 
referrr= 
size=19 
cid=19b14416d95

wolf480pl@mstdn.io replied 12 Dec 2025 20:57 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/Gxy2qrCkn1Y327Y6D3

@benjojo
wp-login.php bots have been doing that for years so I'd be surprised if OpenAI didn't

benjojo replied 12 Dec 2025 21:10 +0000
in reply to: https://mstdn.io/users/wolf480pl/statuses/115708595554461422

@wolf480pl yeah and I guess it's a non terrible way of "seeding" a "search engine"

wolf480pl@mstdn.io replied 13 Dec 2025 12:59 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/NgH2Xwlp4KhCTwHjRL

@benjojo
what if CT logs contained hash(domain, nonce) instead of containing the domain in plain, and the nonce was part of the CT inclusion proof?

benjojo replied 13 Dec 2025 14:53 +0000
in reply to: https://mstdn.io/users/wolf480pl/statuses/115712376924287199

@wolf480pl the point of certificate transparency logs is so that outside observers can do the double-checking of the CAs certificate and policy in full, if you mess with any part of this, the entire system becomes deeply exploitable and difficult to end to end verify

wolf480pl@mstdn.io replied 13 Dec 2025 15:55 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/lPLWBh3YCbFJBH4Dt6

@benjojo
oh, duh I need to be able to find who's issuing carts for my domain :blobfacepalm:

and I'm guessing some people look at all certs issued by CAs and verify certain criteria that may require knowing the domains...

it's kinda sad that it provides domain enumeration, but I guess putting addng zero-knowledge proofs to the mix would've been too complex

benjojo replied 13 Dec 2025 18:00 +0000
in reply to: https://mstdn.io/users/wolf480pl/statuses/115713071072619432

@wolf480pl tbh domain's are not really that secret, and if you depended on that then something was very wrong.

You can work around a lot of this stuff by "just" using wildcard certs instead

wolf480pl@mstdn.io replied 13 Dec 2025 18:07 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/pyX28McwZyTh14hy55

@benjojo
but then why bother with NSEC3...

benjojo replied 13 Dec 2025 23:29 +0000
in reply to: https://mstdn.io/users/wolf480pl/statuses/115713588719701003

@wolf480pl tbh I would argue why bother with DNSSEC (outside of extremely marginal situations), but NSEC3 even more

jamesog@mastodon.soc.. replied 12 Dec 2025 21:09 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/Gxy2qrCkn1Y327Y6D3

@benjojo It's interesting to watch web server logs to see what things pick up new CT entries the quickest