logoalt Hacker News

andixyesterday at 3:05 PM2 repliesview on HN

Hostnames are not private information. There are too many ways how they get leaked to the outside world.

It can be useful to hide a private service behind a URL that isn't easy to guess (less attack surfaces, because a lot of attackers can't find the service). But it needs to be inside the URL path, not the hostname.

  bad: my-hidden-fileservice-007-abc123.example.com/
  good: fileservice.example.com/my-hidden-service-007-abc123/
In the first example the name is leaked with DNS queries, TLS certificates and many other possibilities. In the second example the secret path is only transmitted via HTTPS and doesn't leak as easy.

Replies

amichalyesterday at 4:50 PM

Marginally better for sure but in this case the path would also have been "leaked" to the sentry instance owned by developers of the the NAS device phoning home. This can happen in zillions of ways and is a good reason to use relatively opaque urls in generally and not "friendly ids" and generally being careful abou putting secrets in URLs.

show 1 reply
Wowfunhappyyesterday at 5:32 PM

Curious, does this still apply if http is used exclusively?

show 1 reply