| crowdtls | ||
| .dockerignore | ||
| .env.sample | ||
| .flake8 | ||
| .gitignore | ||
| .pre-commit-config.yaml | ||
| adminer.css | ||
| adminer.Dockerfile | ||
| crowdtls.Dockerfile | ||
| crowdtls.png | ||
| docker-compose.yml | ||
| LICENSE | ||
| pyproject.toml | ||
| README.md | ||
CrowdTLS-server
CrowdTLS validates SSL/TLS certificates against the crowd.
This is the backend server repository for it.
Installation
I recommend that you deploy this with Docker or within a Python virtual environment.
Deployment with Docker
Run the following command on your Linux system:
git clone https://github.com/darrylnixon/CrowdTLS-server.git && \
cd CrowdTLS-server && \
cp .env.sample .env && \
PW=$(/usr/bin/env python3 -c "import secrets; print(secrets.token_urlsafe(32))") /bin/bash -c 'sed -i "" "s/^POSTGRES_PASSWORD=.*/POSTGRES_PASSWORD=$PW/" .env' && \
docker-compose up --detach --build;
Analytics
Below is an enumeration of analytics that are run on the resulting data set to trigger alerts for client extensions. For the "Completeness" column, the emoji symbols are used to represent the status: ❌ for "not started", ⌛ for "partial", and ✅ for "done".
| Analytic Name | Description | Completeness |
|---|---|---|
| Multiple Active Certificates | Flag an unusually high number of active certificates for a single FQDN, especially if they're from multiple CAs. | ❌ |
| Short Lifespan Certificates | Flag certificates with a very short lifespan, which could indicate malicious activity. | ❌ |
| Changes in Certificate Details | Track historical data of certificates for each FQDN and flag abrupt changes. | ❌ |
| Certificates from Untrusted CAs | Flag certificates issued by untrusted or less common CAs. | ❌ |
| Uncommon SAN Usage | Flag certificates with an unusually high number of SAN entries. | ❌ |
| Use of Deprecated or Weak Encryption | Flag certificates that use deprecated or weak cryptographic algorithms. | ❌ |
| New Certificate Detection | Alert users when a certificate for a known domain changes unexpectedly. | ❌ |
| Certificate Lifespan Analysis | Flag certificates with unusually short or long lifespans. | ❌ |
| Mismatched Issuer and Subject | Flag certificates where the issuer and subject fields do not match. | ❌ |
| Geographical Inconsistencies | Flag when the certificate's registration or issuing CA's country doesn't match the usual location of the website. | ❌ |
| Suspicious Domains | Flag when the domain in the certificate doesn't match the actual domain of the website. | ❌ |
| Unusual Certificate Attributes | Flag deviations in terms of certificate attributes, like too short public key lengths or unusual signature algorithms. | ❌ |
| Wildcard Certificates | Flag unexpected uses of wildcard certificates. | ❌ |
| Chain of Trust Verification | Flag if the certificate doesn't chain up correctly to a trusted root. | ❌ |
| SAN Anomalies | Flag if the SAN field includes unusual or suspicious domains. | ❌ |
| Frequency of Certificate Change | Flag if a certificate for a domain changes more frequently than the norm. | ❌ |
| Compare with Public CT Logs | Detect anomalies if the certificate presented doesn't match what's found in public CT logs. | ❌ |
FAQ
What is this? I'm looking for the browser extension!
You're in the wrong place. The browser extension can be found here.
License
This project is licensed under the MPL 2.0 License. See the LICENSE file for details.
I carefully evaluated various open-source licenses and chose the Mozilla Public License 2.0 (MPL 2.0) for CrowdTLS due to its compatibility with other licenses, strong copyleft provisions, and its alignment with my values and goals. MPL 2.0 ensures that the source code remains open and available, while allowing for flexibility in terms of collaboration and incorporation into other projects.
While I understand that different licenses may have their merits, I believe that MPL 2.0 provides the best balance of openness, collaborative potential, and legal clarity for the development and distribution of CrowdTLS.