4

I have a bunch of services which I want to group under a subdomain. Somehow 2-factor authentication is not possible to identify the users of these services. I have a thought to have randomly named subdomain to make it difficult for the attackers to know my subdomain. So, let's say I have a domain example.com and I want to group service1, service2, service3 under the same randomly named subdomain, then my urls would look like:

https://q45vzle.example.com/service1
https://q45vzle.example.com/service2
https://q45vzle.example.com/service3

The q45vzle is the randomly named subdomain. Does having such a subdomain name really help in preventing it from getting discovered? If yes, then how strong the random subdomain name needs to be? If no, what could be the security method which I can use for this situation?

Feel free to correct me if I am having a whole series of wrong thoughts.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Navjot Singh
  • 143
  • 3
  • We have a bunch of similar questions that you might be interested in: https://security.stackexchange.com/questions/83801/is-a-long-random-string-in-a-url-considered-adequate-protection-from-unauthoris and https://security.stackexchange.com/questions/89108/is-a-website-published-in-an-obscure-directory-comparably-secure-to-being-placed and https://security.stackexchange.com/questions/58215/are-random-urls-a-safe-way-to-protect-profile-photos – schroeder Jan 21 '20 at 15:25
  • Short answer is "no". – schroeder Jan 21 '20 at 15:27
  • @schroeder I would appreciate a detailed answer. – Navjot Singh Jan 21 '20 at 15:28
  • Read the linked answers? – schroeder Jan 21 '20 at 15:29
  • @NavjotWaraich See [this](https://stackoverflow.com/questions/13017118/is-subdomain-part-of-a-https-url-secure) question for one that's more in line with yours, since this one focuses on the actual subdomain part of HTTPS. – user Jan 21 '20 at 15:29
  • @user so can I say, it is totally useless to have random subdomain as the sniffer would eventually get there by IP address? – Navjot Singh Jan 21 '20 at 15:33
  • 1
    @NavjotWaraich No, more useless because either DNS requests or web client `host` headers will give it away to a MITM attack. – user Jan 21 '20 at 15:34
  • Does this answer your question? [Are random URLs a safe way to protect profile photos?](https://security.stackexchange.com/questions/58215/are-random-urls-a-safe-way-to-protect-profile-photos) –  Jan 21 '20 at 17:07

2 Answers2

5

You should assume that an attacker can observe traffic. This may happen at your network endpoint, at the client's end, or somewhere in between.

On the client side, the attacker will see DNS resolution for random.example.com if he is observing your users, and he may also discover this domain name if he attempts to access to site directly (this second method depends on how tightly you control references/redirects on the main site to the subdomain).

Plus, if you are using certificates for TLS (as you should be), you will have a certificate listing random.example.com, either as the named entity or an alternative name. That will be visible on the wire.

An attacker may be able to browse the DNS zone records in a more direct fashion. As a general rule, you should assume that everything you publish to DNS is available to everyone. If a legitimate client can find the record for that subdomain, so can nefarious users. If you try to hide the subdomain name behind a wildcard record, then the attacker will know the destination IP address regardless.

In the absence of two-factor authentication, a strong password authentication implementation is your primary security. This implies both reasonably complex passwords and a modern hashing algorithm such as scrypt or Argon2. Additional measures would depend on the application and the users. If you can restrict access via firewall, that would be a good step; however, this is only feasible if users can register devices quickly or in advance.

Your question isn't clear if only hardware-based 2FA is excluded. Don't forget about the second-class 2FA options, if permissible. They are better than nothing. If you can transmit a secret to the users out of band via email/text/phone, it is a worthwhile effort.

Alternatively, you could provide a passcode during registration/enrollment, and your site will accept that code to issue a permanent cookie; that cookie can then act as the second factor.

Unfortunately, these methods can be compromised, unlike a hardware 2FA device. Realistically, most sites use nothing more than TLS and a strong password requirement, and they are fine.

DoubleD
  • 3,862
  • 1
  • 6
  • 14
  • Through TLS1.2 you could use a cert with wildcard name `*.example.com` although depending on the CA that might cost you more; in TLS1.3 the server cert is encrypted. OTOH SNI is readable (and exact, not wildcard) always through 1.2, and by default in 1.3 unless and until everyone involved with your site (including you) implements ESNI. That said, I concur relying on secret subdomain is just too fragile. – dave_thompson_085 Jan 22 '20 at 04:41
3

The q45vzle is the randomly named subdomain. Does having such a subdomain name really help in preventing it from getting discovered? If yes, then how strong the random subdomain name needs to be? If no, what could be the security method which I can use for this situation?

In short no.Even if you were to create random subdomain names which are hard to bruteforce by an adversary your biggest enemy would be something called Certificate Transparency .Your domain and subdomains should be picked up by ct logs.There are many more subdomain enumeration techniques involving google dorking,bruteforcing,harvesting or some third party eventually picking up your subdomains.

Trying to hide sensitive functionality by naming subdomains is no security measure in 2020.

yeah_well
  • 3,699
  • 1
  • 13
  • 30