[zevlag]

> Subdomains can be passwords and a well crafted subdomain should not leak,

I disagree. A subdomain is not secret in any way. There are many ways in which it is transmitted unencrypted. A couple:

- DNS resolution, multiple resolvers and authoritative servers - TLS SNI - HTTP Host Header

There are many middle boxes that could perform safety checks on behalf of the client, and drop it into a list to be rescanned.

- Virus Scanners - Firewalls - Proxies

[dharmab]

I once worked for a company which was using a subdomain of an internal development domain to do some completely internal security research on our own products. The entire domain got flagged in Safe Browsing despite never being exposed to the outside world. We think Chrome's telemetry flagged it, and since it was technically routable as a public IP (all public traffic on that IP was blackholed), Chrome thought it was a public website.

[mkl95]

I saw a similar thing happen with a QA team's domains. Google flagged them as malicious and the company never managed to get them unflagged.

[dharmab]

Our lawyers knew their lawyers so there was a friendly chat and we got added to an internal whitelist within Google.

[TZubiri]

>It's not encrypted in transit

Agree.

But who said that all passwords or shiboleths should all be encrypted in transit?

It can serve as a canary for someone snooping your traffic. Even if you encrypt it, you don't want people snooping.

To date of my subdomains that I never publish, I haven't had anyone attempting to connect with them.

It's one of those redundant measures.

And it's also one of those risks that you take, you can maximize security by staying at home all day, but going out to take the trash is a calculated risk that you must take or risk overfocusing on security.

It's similar to port knocking. If you are encrypting it, it's counterproductive, it's a low effort finishing touch, like a nice knot.