client-hello-mirror/README.md

TLS Client Hello Mirror

This test:

• reflects the complete Client Hello message in multiple formats, preserving the order in which TLS parameters and extensions are sent;
• can be used to check for TLS privacy pitfalls (session resumption, TLS fingerprinting, system time exposure);
• supports both HTTP and Gemini on the same port;
• is free as in freedom and trivial to self-host.

A live instance is running at tlsprivacy.nervuri.net.

Installation

See INSTALL.md.

API documentation

This test exposes two JSON endpoints:

• /json/v1 (basic)
• /json/v2 (detailed)

See DOC.md for details.

Wishlist

• detect client vulnerability to session prolongation attacks
• support early data / 0-RTT (Go's crypto/tls library currently does not)
• support sessionID-based resumption (Go's crypto/tls library currently does not)
• decode more extensions
• token binding (RFCs 8471-8473, formerly Channel ID) can be bad for privacy, but Chromium removed support in 2018. Edge might still support it, though. It may be worth testing for it (add to highlights and add warning in the UI).

Contributing

This project is hosted at tildegit.org. If you don't want to make an account, just shoot me an email with your patch / suggestion / bug report / whatever else.