<b>What does an attacker learn by watching Certificate Transparency logs in real time?</b>
Certificate Transparency (CT, RFC 6962) is a defensive system: public, append-only logs let anyone detect mis-issued certificates. But the same public-by-design property is a reconnaissance gift, and treating CT purely as a defense misreads its threat surface.
Every time a CA issues a certificate, it is logged within the Maximum Merge Delay (typically 24 hours), with the full set of subject names. An attacker subscribing to CT log feeds (via the get-entries API or aggregators like crt.sh) sees, in near real time, every hostname an organization provisions. Request a certificate for staging-newproduct.example.com or vpn-internal.example.com, and you have just published your internal naming and, often, the existence of unannounced infrastructure to anyone watching.
This is exploited in practice. Automated tooling watches CT for newly-issued certificates on freshly-registered domains and probes them for misconfiguration within minutes of issuance — the certificate's appearance in the log is the starting gun. Subdomain enumeration via crt.sh is a standard first step in penetration testing precisely because CT makes it free and complete.
The mitigation is not opting out — public-trust certificates must be logged. It is to assume names are public the moment a certificate exists: use wildcard certificates to avoid logging individual internal hostnames, and never rely on an unguessable subdomain as a secret.
Evidence vs. speculation: CT logging is mandatory and public (RFC 6962); the recon use is well-documented in offensive security practice. The defensive value and the recon value are two faces of the same transparency guarantee.
<b>Further reading:</b> RFC 6962; crt.sh; RFC 9162 (CT v2).
<b>Bottom line:</b> A certificate is a public announcement — anyone monitoring CT sees your hostnames within a day, so wildcard-issue internal names and never treat a subdomain as a secret, because transparency cuts both ways.
Handshake Papers
@HandshakePapers
<b>What does an attacker learn by watching Certificate Transparency logs in real time?</b>
Этот пост опубликован в Telegram-канале Handshake Papers. Подписаться можно по ссылке: @HandshakePapers.