search

jreisinger / checkip

Get (security) info about IP addresses
MIT License
230 stars 24 forks source link

Review SAN values #19

Closed jreisinger closed 2 years ago

jreisinger commented 2 years ago

What are those unreadable strings?

$ checkip -j 1.1.1.1 | jq -r '.checks[12].info.data.attributes.last_https_certificate.extensions'
{
  "subject_alternative_name": [
    "cloudflare-dns.com",
    "*.cloudflare-dns.com",
    "one.one.one.one",
    "\u0001\u0001\u0001\u0001",
    "\u0001\u0001",
    "\\xa2\\x9f$\\x01",
    "\\xa2\\x9f.\\x01",
    "&\u0006GG\u0011\u0011",
    "&\u0006GG\u0010\u0001",
    "GGd",
    "GGd"
  ]
}
jreisinger commented 2 years ago

It's already returned by the virustotal.com API:

$ curl --header "x-apikey:$VIRUSTOTAL_API_KEY" https://www.virustotal.com/api/v3/ip_addresses/1.1.1.1
<...>
                    "subject_alternative_name": [
                        "cloudflare-dns.com",
                        "*.cloudflare-dns.com",
                        "one.one.one.one",
                        "\u0001\u0001\u0001\u0001",
                        "\u0001\u0001",
                        "\\xa2\\x9f$\\x01",
                        "\\xa2\\x9f.\\x01",
                        "&\u0006GG\u0011\u0011",
                        "&\u0006GG\u0010\u0001",
                        "GGd",
                        "GGd"
                    ],
<...>

If you look at the certificate of https://1.1.1.1 via Firefox it looks like this:

image

So I think that virustotal.com is encoding it wrong.