[LeonM]

I write security reports for websites, and I use CT to inform the website owner if there are unused certificates for the given domain. Usually the customer is quite surprised that this information publicly available.

But in 99% of the cases it's not so much a security problem. For bug hunters it may be usable as unlisted subdomains have less exposure, so they may be the first to scan it for bugs. It is still a concern for the website owner though, because they don't want the world to know about a new product or experiment they are running.

General advice: don't obtain certificates for a subdomain until you are ready to tell the world about it.

[koolba]

Or even better don’t register CNAMES or A records for your sub domain until you’re ready to tell the world. The cert is meaningless if there’s nowhere for the traffic to route.

[LeonM]

> The cert is meaningless if there’s nowhere for the traffic to route.

The cert has a meaning: it reveals your intent to do something with it.

I.e. if apple was to buy a cert for car.apple.com before they announce a car, that could be bad for them.

[koolba]

That’s fair point for giving intent if there’s a human facing name for the DNS entry. I was referring to the security implications of having a public endpoint exposed, or more accurately not being exposed because there’s no way to route traffic to it.