Examine the effects of disclosing certificate DNS names from a security and privacy standpoint, as
well as the evolution of certificate transparency (CT). We discover that the number of certifications in CT logs has increased exponentially. Additionally, the number of websites that support CT has been steadily growing; now, 33% of existing connections do so. Since all certifications are available in CT logs, there are worries about information leakage as CT implementation grows. To understand this issue, we present a CT honeypot and show how CT log information can be used to identify scanning campaign targets within minutes after certificate issuance. We offer and analyse a system for learning and verifying new subdomains from the vast number of domains recovered from CT recorded certificates.

As digital ecosystems—especially web and mobile applications—continue to expand, the number of certificates issued and logged in CT repositories has increased exponentially. According to recent studies, nearly 33% of HTTPS connections now support Certificate Transparency, highlighting its wide adoption. However, this growth also brings forth concerns about information leakage and privacy risks, particularly when it comes to disclosing DNS names and subdomains via these logs.

The Double-Edged Sword of CT Logging

CT improves accountability among Certificate Authorities and enhances the overall security of the web by:

• Preventing certificate mis-issuance

• Enabling early detection of phishing or malicious sites

• Supporting security monitoring tools and researchers

• Helping domain owners detect unauthorized certificates

However, this transparency also creates new attack surfaces. Since every certificate logged includes domain and subdomain information, malicious actors can scrape CT logs to:

• Identify newly issued certificates in real time

• Discover hidden or internal subdomains

• Target these endpoints in automated scanning and exploitation campaigns

This unintended exposure can be especially harmful for mobile apps and backend services where API endpoints, staging environments, or internal infrastructure may be listed in certificates but were never meant for public discovery.

The CT Honeypot Experiment

To better understand the risks, security researchers have implemented CT honeypots—fake domains issued with certificates and monitored for activity. Results show that malicious scanning begins within minutes after certificate issuance. This highlights how attackers are actively watching CT logs to discover fresh targets and vulnerabilities at scale.

This data underscores the fact that CT logs are not just helpful for white-hat security professionals—they are also being weaponized by black-hat attackers.

Learning and Verifying Subdomains Using CT Logs

Beyond scanning risks, CT logs can be mined to map organizational infrastructure and enumerate new subdomains. For threat actors and researchers alike, this is a powerful tool:

• Subdomain Enumeration: By analyzing CT entries, one can uncover hundreds or thousands of subdomains for a single organization—some of which may lead to forgotten or vulnerable systems.

• Attack Surface Expansion: Every exposed endpoint increases the likelihood of a successful attack vector.

• Phishing & Impersonation: Newly discovered domains can be cloned or spoofed for phishing attacks targeting users or employees.

To combat this, organizations can implement subdomain monitoring systems that automatically flag and verify new certificate entries from CT logs, allowing them to take proactive security measure