A few days ago, Let’s Encrypt into public beta. At the time of writing this article, almost 120k certificates have been issued, including the certificate for TechOverflow.
I really like the Let’s Encrypt service and I believe it might actually change the way people perceive HTTPS encryption. However, there is one rarely-mentioned side-effect when protecting your domains with their certificates.
Let’s Encrypt publishes certificate transparency logs at crt.sh. This transparency does not come without side-effects, however: crt.sh effectively publishes.
In other words, hiding sites from the public by not publishing their (sub-)domain names anywhere will not work when you issue a certificate for the domain on services like Let’s Encrypt.
For demonstration, I quickly hacked together a script that will automatically fetch a defineable number of crt.sh IDs and print out their domain names. It will start at the most recent certificate from Let’s Encrypt that is present in the crt.sh database.
Use it like this to fetch 1000 certficates:
$ letsencrypt-domains.py 1000
Note that 1000 domains do not neccessarily correspond to 1000 domain names: On one hand, people sometimes re-issue certs while getting used to Let’s Encrypt’s mechanics, on the other hand, one certificate may contain multiple domain names.