Your super secret subdomain is not a super secret

You’ve started a new project right? Figure you want to show it off to a bunch of people. Sending preview links to friends and supporters?

The subdomain you’re using is not private information. The obvious – the people you send it to could just link it to anyone.

The less obvious is that there’s a log of SSL certificates issued. If you’ve set up HTTPS of any kind for the subdomain it’s now listed in the¬†Certificate Transparency log. I already knew this so I have no shame, these are all just subdomains I use for keeping track of which server things are on so no biggie. In your case though this might also reveal your origin IP address and all sorts. Subdomains are not private. Stop doing that.

Not a believer? Try it out on tools.icnerd.com¬†– chuck your domain into the Subdomain Sleuther tool and see what it brings back. This is a simplified list of subdomains found for the given domain. For a more thorough certificate dig check out Google’s Transparency Report site

Don’t just rely on hard to guess subdomains to hide your shiny new project. They’re public knowledge. Put some auth on it!



Sign up for emails about the things

Sign up to my (at most) weekly mail list. I'll send general updates to the list, new projects and whatnot. Not every single post as it comes out, but a summary mixed in with random cool tech I find around the net. For more info checkout the subscribe page

I'll never sell, give, transfer, trade your contact details with any other person, company, or other entity and you're free to click that big unsubscribe link at the bottom of each message whenever!