Your super secret subdomain is not a super secret

You’ve started a new project right? Figure you want to show it off to a bunch of people. Sending preview links to friends and supporters?

The subdomain you’re using is not private information. The obvious – the people you send it to could just link it to anyone.

The less obvious is that there’s a log of SSL certificates issued. If you’ve set up HTTPS of any kind for the subdomain it’s now listed in the¬†Certificate Transparency log. I already knew this so I have no shame, these are all just subdomains I use for keeping track of which server things are on so no biggie. In your case though this might also reveal your origin IP address and all sorts. Subdomains are not private. Stop doing that.

Not a believer? Try it out on tools.icnerd.com¬†– chuck your domain into the Subdomain Sleuther tool and see what it brings back. This is a simplified list of subdomains found for the given domain. For a more thorough certificate dig check out Google’s Transparency Report site

Don’t just rely on hard to guess subdomains to hide your shiny new project. They’re public knowledge. Put some auth on it!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.