search

Daniel-Chin / daniel-chin

0 stars 0 forks source link

Your website's public key has changed #1

Open NateChoe1 opened 1 month ago

NateChoe1 commented 1 month ago

Using openssl x509, I was able to extract this information about your public key

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:ed:16:7a:26:59:da:27:8e:7b:21:cd:be:b3:3e:32
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
        Validity
            Not Before: Jan 15 00:00:00 2024 GMT
            Not After : Feb 14 23:59:59 2025 GMT
        Subject: C = US, ST = California, L = San Francisco, O = "Netlify, Inc", CN = *.netlify.app
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:64:c3:ab:83:a1:9f:9b:f7:ff:e5:00:bf:41:ae:
                    cd:d1:cd:1c:5d:8d:4d:62:fb:0e:e4:90:33:13:2d:
                    b5:45:91:e6:7a:26:a0:5e:01:ae:25:84:fb:d5:88:
                    23:7e:13:7e:a9:d3:a5:de:69:2d:91:69:c3:12:86:
                    5a:94:02:42:28
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                74:85:80:C0:66:C7:DF:37:DE:CF:BD:29:37:AA:03:1D:BE:ED:CD:17
            X509v3 Subject Key Identifier: 
                3E:6A:BE:6E:25:AC:12:10:AB:BE:F1:EB:A7:A9:BC:6D:88:7D:54:8F
            X509v3 Subject Alternative Name: 
                DNS:*.netlify.app, DNS:netlify.app
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.2
                  CPS: http://www.digicert.com/CPS
            X509v3 Key Usage: critical
                Digital Signature, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
                Full Name:
                  URI:http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
            Authority Information Access: 
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt
            X509v3 Basic Constraints: critical
                CA:FALSE
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 4E:75:A3:27:5C:9A:10:C3:38:5B:6C:D4:DF:3F:52:EB:
                                1D:F0:E0:8E:1B:8D:69:C0:B1:FA:64:B1:62:9A:39:DF
                    Timestamp : Jan 15 10:47:29.381 2024 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:1E:C5:2F:7C:4B:19:8E:30:52:F2:9B:DE:
                                5F:50:F9:98:CE:3F:5A:4B:10:2D:8B:E1:7A:49:FA:7C:
                                17:0B:E7:C7:02:20:69:D4:87:2E:46:49:3E:22:0E:96:
                                E6:9A:BC:8B:22:68:3D:62:78:7A:39:6D:C2:F1:FF:72:
                                B4:EC:CA:BB:73:D0
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 7D:59:1E:12:E1:78:2A:7B:1C:61:67:7C:5E:FD:F8:D0:
                                87:5C:14:A0:4E:95:9E:B9:03:2F:D9:0E:8C:2E:79:B8
                    Timestamp : Jan 15 10:47:29.383 2024 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:14:62:EE:59:8E:36:FA:2A:75:12:10:02:
                                74:03:93:9A:67:D3:80:95:4D:75:CC:2E:3E:FD:24:E3:
                                18:43:A3:CF:02:20:20:0A:A6:27:78:41:21:B9:80:FB:
                                20:63:3E:4B:6F:A4:75:15:02:A5:5C:D2:B4:38:64:33:
                                20:D4:3C:D5:46:37
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : E6:D2:31:63:40:77:8C:C1:10:41:06:D7:71:B9:CE:C1:
                                D2:40:F6:96:84:86:FB:BA:87:32:1D:FD:1E:37:8E:50
                    Timestamp : Jan 15 10:47:29.425 2024 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:86:9F:5E:12:4D:DB:8F:8C:AC:D5:8C:
                                80:F8:E2:85:F6:3B:2C:21:B1:EE:9F:FC:69:F7:2A:31:
                                37:23:5C:ED:D2:02:21:00:B3:0B:13:83:D6:D5:7A:BE:
                                73:2E:C6:7B:A9:67:0A:3A:0F:CE:08:55:A0:DD:E6:0C:
                                50:1A:E8:17:EB:0D:4E:0C
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        85:10:65:aa:23:19:44:a0:85:70:ec:0b:09:ff:c7:c9:06:3e:
        d8:19:f6:14:aa:f3:c5:bb:a1:e1:ee:1c:e7:51:69:a0:c6:16:
        c3:bf:e8:e5:75:8d:f5:d8:9c:c1:29:a6:94:26:6a:e6:26:ad:
        9f:b3:86:4e:a8:8a:93:3c:0a:6a:a7:d9:b5:92:56:50:43:8f:
        7e:30:c4:dc:d2:60:26:f5:fa:84:4a:26:1b:67:da:38:c4:aa:
        39:15:e6:45:c2:05:b4:2c:cd:ed:6c:96:fe:5e:92:cb:f5:c1:
        8a:d5:c2:c5:75:59:20:80:f5:cb:75:a0:21:e5:40:29:23:e3:
        80:cd:09:89:a8:f6:60:b0:f6:75:8e:b5:6f:2c:f0:41:aa:62:
        59:04:83:9c:47:c9:9b:04:10:b0:92:43:04:c1:95:67:40:ce:
        ca:e9:cf:f6:1e:d8:53:d4:6a:ca:c1:f6:1d:df:78:0e:20:46:
        bc:8e:3a:fe:f1:5a:a9:3e:68:66:0a:d6:0d:b2:b0:33:4f:d4:
        e5:cd:12:b0:e0:a3:d5:2b:50:38:89:ab:32:97:0f:a6:82:4a:
        d8:a1:f7:78:04:97:15:44:05:80:84:2f:eb:e7:81:9d:00:2e:
        fa:3a:bb:a3:e7:3b:22:ab:6c:ce:ce:65:ad:9a:a4:0c:63:b3:
        22:d6:aa:87
-----BEGIN CERTIFICATE-----
MIIGGDCCBQCgAwIBAgIQA+0WeiZZ2ieOeyHNvrM+MjANBgkqhkiG9w0BAQsFADBZ
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypE
aWdpQ2VydCBHbG9iYWwgRzIgVExTIFJTQSBTSEEyNTYgMjAyMCBDQTEwHhcNMjQw
MTE1MDAwMDAwWhcNMjUwMjE0MjM1OTU5WjBpMQswCQYDVQQGEwJVUzETMBEGA1UE
CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMM
TmV0bGlmeSwgSW5jMRYwFAYDVQQDDA0qLm5ldGxpZnkuYXBwMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAEZMOrg6Gfm/f/5QC/Qa7N0c0cXY1NYvsO5JAzEy21RZHm
eiagXgGuJYT71YgjfhN+qdOl3mktkWnDEoZalAJCKKOCA5UwggORMB8GA1UdIwQY
MBaAFHSFgMBmx9833s+9KTeqAx2+7c0XMB0GA1UdDgQWBBQ+ar5uJawSEKu+8eun
qbxtiH1UjzAlBgNVHREEHjAcgg0qLm5ldGxpZnkuYXBwggtuZXRsaWZ5LmFwcDA+
BgNVHSAENzA1MDMGBmeBDAECAjApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRp
Z2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgOIMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjCBnwYDVR0fBIGXMIGUMEigRqBEhkJodHRwOi8vY3JsMy5k
aWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxHMlRMU1JTQVNIQTI1NjIwMjBDQTEt
MS5jcmwwSKBGoESGQmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEds
b2JhbEcyVExTUlNBU0hBMjU2MjAyMENBMS0xLmNybDCBhwYIKwYBBQUHAQEEezB5
MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wUQYIKwYBBQUH
MAKGRWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbEcy
VExTUlNBU0hBMjU2MjAyMENBMS0xLmNydDAMBgNVHRMBAf8EAjAAMIIBfQYKKwYB
BAHWeQIEAgSCAW0EggFpAWcAdQBOdaMnXJoQwzhbbNTfP1LrHfDgjhuNacCx+mSx
Ypo53wAAAY0Mu8dlAAAEAwBGMEQCIB7FL3xLGY4wUvKb3l9Q+ZjOP1pLEC2L4XpJ
+nwXC+fHAiBp1IcuRkk+Ig6W5pq8iyJoPWJ4ejltwvH/crTsyrtz0AB1AH1ZHhLh
eCp7HGFnfF79+NCHXBSgTpWeuQMv2Q6MLnm4AAABjQy7x2cAAAQDAEYwRAIgFGLu
WY42+ip1EhACdAOTmmfTgJVNdcwuPv0k4xhDo88CICAKpid4QSG5gPsgYz5Lb6R1
FQKlXNK0OGQzINQ81UY3AHcA5tIxY0B3jMEQQQbXcbnOwdJA9paEhvu6hzId/R43
jlAAAAGNDLvHkQAABAMASDBGAiEAhp9eEk3bj4ys1YyA+OKF9jssIbHun/xp9yox
NyNc7dICIQCzCxOD1tV6vnMuxnupZwo6D84IVaDd5gxQGugX6w1ODDANBgkqhkiG
9w0BAQsFAAOCAQEAhRBlqiMZRKCFcOwLCf/HyQY+2Bn2FKrzxbuh4e4c51FpoMYW
w7/o5XWN9dicwSmmlCZq5iatn7OGTqiKkzwKaqfZtZJWUEOPfjDE3NJgJvX6hEom
G2faOMSqORXmRcIFtCzN7WyW/l6Sy/XBitXCxXVZIID1y3WgIeVAKSPjgM0Jiaj2
YLD2dY61byzwQapiWQSDnEfJmwQQsJJDBMGVZ0DOyunP9h7YU9RqysH2Hd94DiBG
vI46/vFaqT5oZgrWDbKwM0/U5c0SsOCj1StQOImrMpcPpoJK2KH3eASXFUQFgIQv
6+eBnQAu+jq7o+c7Iqtszs5lrZqkDGOzItaqhw==
-----END CERTIFICATE-----

As far as I can tell, the public key has changed to 04 64 c3 ab 83 a1 9f 9b f7 ff e5 00 bf 41 ae cd d1 cd 1c 5d 8d 4d 62 fb 0e e4 90 33 13 2d b5 45 91 e6 7a 26 a0 5e 01 ae 25 84 fb d5 88 23 7e 13 7e a9 d3 a5 de 69 2d 91 69 c3 12 86 5a 94 02 42 28.

NateChoe1 commented 1 month ago

For what it's worth, I'm pretty sure every Netlify website has the same public key, so you probably shouldn't use that as an authentication mechanism. I'd recommend creating a PGP key and publishing that instead.

Daniel-Chin commented 1 month ago

For what it's worth, I'm pretty sure every Netlify website has the same public key,

Oh wow! This is vital information. Thank you so much for bringing it up!

Daniel-Chin commented 1 month ago

I'd recommend creating a PGP key and publishing that instead.

Sadly, I'd have to sign the entire website for that to take effect. I find it difficult to extract a representation of the website that's convenient for checking. And since I haven't purchased a domain name, there seems to be no good way of authenticating myself. I'll remove the public key thing for now.