Security implications of Let's Encrypt

binbash · February 5, 2019, 8:41pm

Hi, I have been setting up my home Nextcloud server and my latest step has been to try to secure it with SSL. I have found out that many people seem to be using Let’s Encrypt. I know that this tool would work for me. What concerns me a bit is their privacy policy which basically seems to state that all IP addresses and DNS records are liable to being made public and searchable. Whether they are actually doing this at the moment or not I don’t know.

But what I was thinking is that a potential hacker doesn’t need to bother finding me and trying to establish whether I’m running a web server if Let’s Encrypt is basically going to publicly advertise that I am running such a service on my IP address. At the moment my IP address is not on any public DNS as I’m using a dynamic DNS subdomain service. I realise that my Nextcloud server is not completely invisible to the world at the moment and that there are ways of finding out that it exists but it would still seem to me that the details being publicly advertised would raise the threat level.

Am I just being paranoid or do I have genuine concerns? At the moment I’m using a private root certificate but it’s not a very eloquent solution as it has to be installed on every device I access the server with.

tflidd · February 6, 2019, 10:10am

If you prefer to remain invisible for the world, it is better to rely on your personal CA which you need to import to all of your clients.

Regarding Letsencypt, it is probably better to discuss with them if it is really necessary to have all this information being available to public. You can’t see that someone is running Nextcloud (except it’s in the subdomain) and just knowing someone is using a ssl certificate, well there are millions of it.

In many cases, you want to use your Nextcloud to share files with others, so by definition it becomes known to someone that you have such a service. Your security concept shouldn’t rely on the fact that nobody knows it.

binbash · February 8, 2019, 1:44am

Thanks, that would seem to be sound advice to be fair. I’ve gone with Letsencrypt now and glad I did to be honest as it makes things a lot easier.

anon99283430 · February 8, 2019, 7:42pm

If you are using a public domain (e.g. myprivatecloud.com) for your server, even more data is publicy available…just try a whois at the domain registry.

binbash · February 10, 2019, 3:23am

I’m only using a subdomain of a DDNS provider but I’ve since realised that the subdomain records are public anyway, i.e. in Linux dig mysubdomain.example.org returns an A Record with my IP address on it.