5 KiB
CrowdTLS
CrowdTLS validates SSL/TLS certificates against the crowd.
It will try to alert you if your traffic is being man-in-the-middle'd.
Installation • Frequently Asked Questions • Contributing • License
Installation
TODO
FAQ
What problem does CrowdTLS solve?
CrowdTLS is designed to enhance your trust in the SSL/TLS certificates sent to you by the domains you visit. It aims to crowd-source the validation process by collecting SSL/TLS certificate data from users and comparing it with other collected data. This approach helps identify potential issues like dangerous wildcards, certificate misconfigurations, or fraudulent certificates (i.e., MITM aka man-in-the-middle), ultimately improving the overall security of your time on the web.
What privacy concerns should I have about using CrowdTLS? What information are you collecting about me?
I understand the importance of privacy and want to be transparent about the information CrowdTLS collects. When you use the addon/extension, it collects SSL/TLS certificate data associated with the domain names you visit with an HTTPS connection. This data includes the certificate details exposed by security information APIs provided by your browser developer, such as webRequest.getSecurityInfo() on Firefox.
You'd be concerned that I will be exposed to metadata associated with the traffic required to aggregate, analyze, and share that certificate data with the crowd service. That metadata certainly includes your browser's external IP address and potentially other uncontrollable HTTP or web socket headers. That is, your external IP (or VPN IP) will be directly communicating with my cloud proxy. Those logs will be scheduled for purge unless I detect malicious activity from a specific IP (i.e., sending false certificate data to poison the crowd).
Rest assured that I do not collect any personally identifiable information (PII) or track your browsing activities beyond the scope of SSL/TLS certificate validation, and the extension/addon does not have permission to see that information. CrowdTLS solely focuses on SSL/TLS certificates and does not engage in any user profiling, advertising, or sale of data.
Why is CrowdTLS requesting all these browser permissions?
You can see which permissions CrowdTLS requires in manifest.json under the root "permissions" key. Below, I've included reasoning for each permission listed. If you have any questions, open an issue for clarification.
| WebExtension Permission | CrowdTLS Usage |
|---|---|
webRequest |
Enables access and analyze web requests, allowing access to SSL/TLS certificate data. |
webRequestBlocking |
Required to handle and process HTTPS requests in a blocking manner. |
https://*/* |
Enables filtering specifically for HTTPS websites contacted, but not HTTP. |
notifications |
For displaying notifications for important updates or alerts. |
storage |
Caches request/response content on your system so CrowdTLS functions more efficiently. |
What's your roadmap?
The roadmap for CrowdTLS, if maintained, includes several exciting features and improvements. Here are some highlights:
- Enhancing the crowd-source validation process to provide more accurate and comprehensive certificate analysis.
- Introducing user customization options to allow fine-tuning of validation criteria and feedback preferences.
- Collaborating with browser developers to streamline the integration of CrowdTLS functionalities natively into popular browsers.
- Implementing opt-in advanced analytics and reporting features to provide valuable insights into SSL/TLS certificate usage and trends.
I'm open to ideas to improve CrowdTLS and I welcome feedback and suggestions from the open source community.
Contributing
If you would like to contribute to this project, feel free to submit a pull request or open an issue on GitHub.
This tool was written as part of my coursework for CSC 842 - Security Tool Development at Dakota State University taken in pursuit of a PhD in Cyber Operations. Consequently, I may choose not to maintain this tool beyond the length of the course, but have selected a license that enables open contributions in any case. I'll keep an eye out for pull requests.
License
This project is licensed under the MPL 2.0 License. See the LICENSE file for details.
I carefully evaluated various open-source licenses and chose the Mozilla Public License 2.0 (MPL 2.0) for CrowdTLS due to its compatibility with other licenses, strong copyleft provisions, and its alignment with my values and goals. MPL 2.0 ensures that the source code remains open and available, while allowing for flexibility in terms of collaboration and incorporation into other projects.
While I understand that different licenses may have their merits, I believe that MPL 2.0 provides the best balance of openness, collaborative potential, and legal clarity for the development and distribution of CrowdTLS.