
Show HN: Who runs this – A Chrome extension that shows who runs a site - kaolti
https://chrome.google.com/webstore/detail/who-runs-this/jfccjdbjpkmppcpdogdfbgillpaakmgn
======
dylz
Would be nice to note that it sends hostnames of the sites you visit in
plaintext, no SSL/TLS, across the internet to:

    
    
      http://api.corpwatch.org/companies
      http://104.236.253.171:9119

~~~
jsmthrowaway
Nice catch. 104.236/16 is DigitalOcean, so best guess would be some kind of
server belonging to the author.

~~~
kaolti
It is mine, yea.

~~~
scottydelta
I think it is better if you mask your server ip using some service like
CloudFlare and assign it a domain name when making public apps with links to
your server.

------
scottydelta
Is that a private key to connect to your server in your repo?
[https://github.com/kaolti/Who-Runs-
This/blob/master/key.pem](https://github.com/kaolti/Who-Runs-
This/blob/master/key.pem)

~~~
kaolti
Hehe, was for the Chrome store, got rid of it now.

~~~
scottydelta
[deleted]

~~~
youdidwhat
Did you just publically admit to attempting to break into his server?

~~~
scottydelta
not really.

------
MasterScrat
What would be even more useful would be a "that's surprising!" button next to
the result.

When an owner is often reported as surprising for a domain, the extension
should either blink or directly display the owner without being clicked.

~~~
kaolti
That's awesome, add that to the todos.

------
TazeTSchnitzel
Hmm. It can't tell me that thewaytohappiness.org is run by Scientology.

But expecting it to see through Scientology front groups is perhaps asking too
much. ^^

------
ridiculous_fish
Very cool idea. I noticed it reports that ridiculousfish.com "is run by"
namecheap, but namecheap is only the registrar and does not run or even host
the site.

~~~
kaolti
Thanks! Yea, the problem is the registrant organization of the domain is set
to Namecheap. Not sure how to get around domain privacy for now.

~~~
kspaans
Maybe the extension could check the info on the SSL certificates (if
available) if the domain is registered through a proxy?

~~~
degenerate
This is almost necessary for the extension to be useful. A good number of
domains I checked are all "run" by WHOISGUARD, INC.

~~~
kaolti
Hm, do SSL certificates have information about the owner?

~~~
degenerate
I think only Extended Validation (EV) certificates have this info by default
:(

------
kaolti
Thanks for all the feedback guys! Took it down for now and will republish when
it's fixed.

------
kaolti
May have a couple of bugs but one use case would be finding out that
rottentomatoes.com is run by Comcast.

------
kspaans
When run against www.ssa.gov it says "something seems to be wrong" LOL

~~~
TazeTSchnitzel
For .gov domains it might as well just show “The Government of the United
States”.

~~~
daxelrod
That's not exclusively true anymore. For example, New York City has nyc.gov .

------
djcollier
Could you share a link to the repo if its available? Very cool idea!

~~~
kaolti
Thanks! Here it is: [https://github.com/kaolti/Who-Runs-
This.git](https://github.com/kaolti/Who-Runs-This.git)

~~~
rjbrock
This appears to be a private key (so no one should ever be able to read this
file): [https://github.com/kaolti/Who-Runs-
This/blob/master/key.pem](https://github.com/kaolti/Who-Runs-
This/blob/master/key.pem)

Is this for publishing to the chrome app store? If it is, I recommend taking
down the extension and republishing with a new secure key ASAP.

~~~
kaolti
lol, saved my ass it looks like! Took your advice.

~~~
callesgg
It is still in the commit history. You need to throw that key away and get a
new one.

~~~
rjbrock
Exactly, that key is now completely compromised (it was the second it was
public). You can still see it here: [https://github.com/kaolti/Who-Runs-
This/commit/764945d8d968b...](https://github.com/kaolti/Who-Runs-
This/commit/764945d8d968b29008f7d7075f014a8624830b07)

You will need to generate a new key and resign with the new one.

------
diegorbaquero
When ran against my own domain (diegorbaquero.com) it just shows "Something
seems to be wrong"

~~~
kaolti
Yea, it doesn't check for registrant name atm, should probably show that, if
there's no registrant org.

------
jhiggins777
Link is broken

