lol. I minted a new TLS cert and it seems that OpenAI is scraping CT logs for what I assume are things to scrape from, based on the near instant response from this:
Dec 12 20:43:04 xxxx xxx[719]:
l=debug
m="http request"
pkg=http
httpaccess=
handler=(nomatch)
method=get
url=/robots.txt
host=autoconfig.benjojo.uk
duration="162.176µs"
statuscode=404
proto=http/2.0
remoteaddr=74.7.175.182:38242
tlsinfo=tls1.3
useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36; compatible; OAI-SearchBot/1.3; robots.txt; +https://openai.com/searchbot"
referrr=
size=19
cid=19b14416d95
原文
[email protected]
replied 12 Dec 2025 20:57 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/Gxy2qrCkn1Y327Y6D3
@benjojo
wp-login.php bots have been doing that for years so I'd be surprised if OpenAI didn't
benjojo
replied 12 Dec 2025 21:10 +0000
in reply to: https://mstdn.io/users/wolf480pl/statuses/115708595554461422
@wolf480pl yeah and I guess it's a non terrible way of "seeding" a "search engine"
[email protected]
replied 13 Dec 2025 12:59 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/NgH2Xwlp4KhCTwHjRL
@benjojo
what if CT logs contained hash(domain, nonce) instead of containing the domain in plain, and the nonce was part of the CT inclusion proof?
benjojo
replied 13 Dec 2025 14:53 +0000
in reply to: https://mstdn.io/users/wolf480pl/statuses/115712376924287199
@wolf480pl the point of certificate transparency logs is so that outside observers can do the double-checking of the CAs certificate and policy in full, if you mess with any part of this, the entire system becomes deeply exploitable and difficult to end to end verify
[email protected]
replied 13 Dec 2025 15:55 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/lPLWBh3YCbFJBH4Dt6
@benjojo and I'm guessing some people look at all certs issued by CAs and verify certain criteria that may require knowing the domains... it's kinda sad that it provides domain enumeration, but I guess putting addng zero-knowledge proofs to the mix would've been too complex
oh, duh I need to be able to find who's issuing carts for my domain 
benjojo
replied 13 Dec 2025 18:00 +0000
in reply to: https://mstdn.io/users/wolf480pl/statuses/115713071072619432
@wolf480pl tbh domain's are not really that secret, and if you depended on that then something was very wrong. You can work around a lot of this stuff by "just" using wildcard certs instead
[email protected]
replied 13 Dec 2025 18:07 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/pyX28McwZyTh14hy55
@benjojo
but then why bother with NSEC3...
benjojo
replied 13 Dec 2025 23:29 +0000
in reply to: https://mstdn.io/users/wolf480pl/statuses/115713588719701003
@wolf480pl tbh I would argue why bother with DNSSEC (outside of extremely marginal situations), but NSEC3 even more
[email protected]..
replied 12 Dec 2025 21:09 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/Gxy2qrCkn1Y327Y6D3
@benjojo It's interesting to watch web server logs to see what things pick up new CT entries the quickest