CrowdTLS-server/README.md

<div align="center">
<img src="crowdtls.png" alt="CrowdTLS Logo">

# CrowdTLS-server

CrowdTLS validates SSL/TLS certificates against the crowd.

This is the backend server repository for it.<br/>

[Installation](#installation) •
[Analytics](#analytics) •
[License](#license)
</div>

## Installation

I recommend that you deploy this with Docker or within a Python virtual environment.

### Deployment with Docker

Run the following command on your Linux system:
```bash
git clone https://github.com/darrylnixon/CrowdTLS-server.git && \
cd CrowdTLS-server && \
cp .env.sample .env && \
PW=$(/usr/bin/env python3 -c "import secrets; print(secrets.token_urlsafe(32))") /bin/bash -c 'sed -i "" "s/^POSTGRES_PASSWORD=.*/POSTGRES_PASSWORD=$PW/" .env' && \
docker-compose up --detach --build;
```

## Analytics

Below is an enumeration of analytics that are run on the resulting data set to trigger alerts for client extensions. For the "Completeness" column, the emoji symbols are used to represent the status: ❌ for "not started", ⌛ for "partial", and ✅ for "done".

| Analytic Name | Description | Completeness |
| --- | --- | --- |
| Certificate Lifespan Analysis | Flag certificates with unusually short or long lifespans. | ✅ |
| Uncommon SAN Usage | Flag certificates with an unusually high number of SAN entries. | ✅ |
| Multiple Active Certificates | Flag an unusually high number of active certificates for a single FQDN, especially if they're from multiple CAs. | ⌛ |
| Changes in Certificate Details | Track historical data of certificates for each FQDN and flag abrupt changes. | ❌ |
| Certificates from Untrusted CAs | Flag certificates issued by untrusted or less common CAs. | ❌ |
| Use of Deprecated or Weak Encryption | Flag certificates that use deprecated or weak cryptographic algorithms. | ❌ |
| New Certificate Detection | Alert users when a certificate for a known domain changes unexpectedly. | ❌ |
| Mismatched Issuer and Subject | Flag certificates where the issuer and subject fields match (self-signed) and are not trusted roots. | ❌ |
| Geographical Inconsistencies | Flag when the certificate's registration or issuing CA's country doesn't match the usual location of the website. | ❌ |
| Suspicious Domains | Flag when the domain in the certificate doesn't match the actual domain of the website. | ❌ |
| Unusual Certificate Attributes | Flag deviations in terms of certificate attributes, like too short public key lengths or unusual signature algorithms. | ❌ |
| Wildcard Certificates | Flag unexpected uses of wildcard certificates. | ❌ |
| Chain of Trust Verification | Flag if the certificate doesn't chain up correctly to a trusted root. | ❌ |
| SAN Anomalies | Flag if the SAN field includes unusual or suspicious domains. | ❌ |
| Frequency of Certificate Change | Flag if a certificate for a domain changes more frequently than the norm. | ❌ |
| Compare with Public CT Logs | Detect anomalies if the certificate presented doesn't match what's found in public CT logs. | ❌ |

## FAQ

**What is this? I'm looking for the browser extension!**

You're in the wrong place. The browser extension can be found [here](https://sillyhats.mips.uk/pdf/CrowdTLS).

## License

This project is licensed under the MPL 2.0 License. See the `LICENSE` file for details.

I carefully evaluated various open-source licenses and chose the Mozilla Public License 2.0 (MPL 2.0) for CrowdTLS due to its compatibility with other licenses, strong copyleft provisions, and its alignment with my values and goals. MPL 2.0 ensures that the source code remains open and available, while allowing for flexibility in terms of collaboration and incorporation into other projects.

While I understand that different licenses may have their merits, I believe that MPL 2.0 provides the best balance of openness, collaborative potential, and legal clarity for the development and distribution of CrowdTLS.