mirror of
https://github.com/DarrylNixon/CrowdTLS
synced 2024-04-22 06:17:20 -07:00
Initial README.md and PRIVACY.md added
This commit is contained in:
parent
10f5de1be9
commit
f08f3f56e1
3 changed files with 106 additions and 0 deletions
49
PRIVACY.md
Normal file
49
PRIVACY.md
Normal file
|
|
@ -0,0 +1,49 @@
|
|||
# Privacy Policy
|
||||
|
||||
Last updated: June 6, 2023
|
||||
|
||||
Thank you for using CrowdTLS! This Privacy Policy explains how I collect, use, and disclose information when you use my addon and the official servers associated with it. I take your privacy seriously and I'm committed to protecting your personal information. By using our addon, you consent to the collection and use of your information as described in this Privacy Policy.
|
||||
|
||||
## Information I Collect
|
||||
|
||||
The addon collects collect the following information:
|
||||
|
||||
### SSL/TLS Certificate Data
|
||||
I collect SSL/TLS certificate data associated with the fully qualified domain names (FQDNs) of the websites you visit. This data includes information exposed by security information APIs, such as `webRequest.getSecurityInfo()` for Mozilla Firefox. Please note that these APIs are managed by the browser developer (e.g., Mozilla, Microsoft, Apple, Opera) and are subject to their security and privacy practices. This explicitly does not include data associated with requests you've made to these services such as URL paths, query parameters, authentication information, cookies, or anything unrelated to the certificate data the server sends you to verify they own the domain you are visiting.
|
||||
|
||||
**TL;DR: I collect ONLY certificate data sent to you by the web domains you visit.**
|
||||
|
||||
### Metadata
|
||||
I log metadata associated with the traffic necessary to share the SSL/TLS certificate data with our crowd service. This minimally includes the external IP address of your internet connection (or VPN) and potentially other uncontrollable HTTP headers or web socket connection information. I do not enrich this data with the addon, but simply write normal connection metadata to a log file for review.
|
||||
|
||||
**TL;DR: I technically collect metadata, such as your browser's external IP address and other standard internet connection metadata, which enables the sharing of SSL/TLS certificate data.**
|
||||
|
||||
That's all. I do not collect any other personal information.
|
||||
|
||||
**TL;DR: I only collect SSL/TLS certificate data and metadata necessary to maintain the crowd service.**
|
||||
|
||||
## How I Use Collected Information
|
||||
|
||||
I use the collected information for the following purposes:
|
||||
|
||||
### Crowd-Source Validation Service
|
||||
I provide the crowd-sourced validation service by analyzing the SSL/TLS certificate information you send against others previously collected from the crowd and provide feedback to your browser addon.
|
||||
|
||||
### Storage and Analysis
|
||||
I store the SSL/TLS certificate data you sent for analysis indefinitely to provide the same service to other users. This keeps the service running and helps me improve the accuracy and effectiveness of the validation service.
|
||||
|
||||
### Usage Trends
|
||||
I may use the collected information to identify broad usage trends across the world, such as the number of certificates shared from each country. These insights will help me improve service availability, latency, and understand global patterns to justify continued maintenance and server costs.
|
||||
|
||||
### Log Storage
|
||||
I store HTTP and web socket logs for up to 30 days specifically for troubleshooting issues and identifying malicious activity. After 30 days, the logs are permanently purged from our servers unless malicious activity is identified.
|
||||
|
||||
**TL;DR: I use the collected information to provide the validation service, store and analyze SSL/TLS certificate data, identify usage trends, and store standard connection log metadata for a limited period.**
|
||||
|
||||
## Changes to This Privacy Policy
|
||||
|
||||
I reserve the right to modify, update, or amend this Privacy Policy from time to time to reflect changes made to our addon. When I make material changes to this Policy, I'll inform you by updating the 'Effective date' notice. It is your responsibility to review this Privacy Policy periodically or "watch" the repository for changes to stay informed of any updates. Your continued use of the addon after any modifications to this Policy constitutes your acceptance of such changes.
|
||||
|
||||
**TL;DR: We may change this Privacy Policy but will notify you of any significant updates. It's your responsibility to review and accept the changes.**
|
||||
|
||||
If you have any questions about this Privacy Policy, submit an issue for clarification.
|
||||
57
README.md
Normal file
57
README.md
Normal file
|
|
@ -0,0 +1,57 @@
|
|||
<div align="center">
|
||||
<img src="crowdtls.png" alt="CrowdTLS Logo">
|
||||
|
||||
# CrowdTLS
|
||||
|
||||
CrowdTLS validates SSL/TLS certificates against the crowd.
|
||||
|
||||
It can potentially alert you if your traffic is being man-in-the-middle'd.<br/>
|
||||
|
||||
[Installation](#installation) •
|
||||
[Frequently Asked Questions](#faq) •
|
||||
[Contributing](#contributing) •
|
||||
[License](#license)
|
||||
</div>
|
||||
|
||||
## Installation
|
||||
|
||||
TODO
|
||||
|
||||
## FAQ
|
||||
|
||||
**What problem does CrowdTLS solve?**
|
||||
|
||||
CrowdTLS is designed to enhance your trust in the SSL/TLS certificates sent to you by the domains you visit. It aims to crowd-source the validation process by collecting SSL/TLS certificate data from users and comparing it with other collected data. This approach helps identify potential issues like dangerous wildcards, certificate misconfigurations, or fraudulent certificates (i.e., MITM aka man-in-the-middle), ultimately improving the overall security of your time on the web.
|
||||
|
||||
**What privacy concerns should I have about using CrowdTLS? What information are you collecting about me?**
|
||||
|
||||
I understand the importance of privacy and want to be transparent about the information CrowdTLS collects. When you use the addon/extension, it collects SSL/TLS certificate data associated with the domain names you visit with an HTTPS connection. This data includes the certificate details exposed by security information APIs provided by your browser developer, such as `webRequest.getSecurityInfo()` on Firefox.
|
||||
|
||||
You'd be concerned that I will be exposed to metadata associated with the traffic required to aggregate, analyze, and share that certificate data with the crowd service. That metadata certainly includes your browser's external IP address and potentially other uncontrollable HTTP or web socket headers. That is, your external IP (or VPN IP) will be directly communicating with my cloud proxy. Those logs will be scheduled for purge unless I detect malicious activity from a specific IP (i.e., sending false certificate data to poison the crowd).
|
||||
|
||||
Rest assured that I do not collect any personally identifiable information (PII) or track your browsing activities beyond the scope of SSL/TLS certificate validation, and the extension/addon does not have permission to see that information. CrowdTLS solely focuses on SSL/TLS certificates and does not engage in any user profiling, advertising, or sale of data.
|
||||
|
||||
**What's your roadmap?**
|
||||
|
||||
The roadmap for CrowdTLS, if maintained, includes several exciting features and improvements. Here are some highlights:
|
||||
|
||||
- Enhancing the crowd-source validation process to provide more accurate and comprehensive certificate analysis.
|
||||
- Introducing user customization options to allow fine-tuning of validation criteria and feedback preferences.
|
||||
- Collaborating with browser developers to streamline the integration of CrowdTLS functionalities natively into popular browsers.
|
||||
- Implementing *opt-in* advanced analytics and reporting features to provide valuable insights into SSL/TLS certificate usage and trends.
|
||||
|
||||
I'm open to ideas to improve CrowdTLS and I welcome feedback and suggestions from the open source community.
|
||||
|
||||
## Contributing
|
||||
|
||||
If you would like to contribute to this project, feel free to submit a pull request or open an issue on GitHub.
|
||||
|
||||
This tool was written as part of my coursework for CSC 842 - Security Tool Development at Dakota State University taken in pursuit of a PhD in Cyber Operations. Consequently, I may choose not to maintain this tool beyond the length of the course, but have selected a license that enables open contributions in any case. I'll keep an eye out for pull requests.
|
||||
|
||||
## License
|
||||
|
||||
This project is licensed under the MPL 2.0 License. See the `LICENSE` file for details.
|
||||
|
||||
I carefully evaluated various open-source licenses and chose the Mozilla Public License 2.0 (MPL 2.0) for CrowdTLS due to its compatibility with other licenses, strong copyleft provisions, and its alignment with my values and goals. MPL 2.0 ensures that the source code remains open and available, while allowing for flexibility in terms of collaboration and incorporation into other projects.
|
||||
|
||||
While I understand that different licenses may have their merits, I believe that MPL 2.0 provides the best balance of openness, collaborative potential, and legal clarity for the development and distribution of CrowdTLS.
|
||||
BIN
crowdtls.png
Normal file
BIN
crowdtls.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 40 KiB |
Loading…
Reference in a new issue