TLS Client Hello Mirror
https://tlsprivacy.nervuri.net/
nervuri
b7322519a8
* add HTML and Gemtext UI * extend NJA3 * decode hex-encoded Client Hello message sent as query string * decode compress_certificate extension (RFC 8879) * update golang.org/x/crypto from v0.5.0 to v0.13.0 * in /json/v2, expose IANA "recommended" boolean field for cipher_sutes and signature_algorithms * suggest certbot's `--deploy-hook` option in INSTALL.md |
||
|---|---|---|
| .reuse | ||
| LICENSES | ||
| clienthello | ||
| .gitignore | ||
| DOC.md | ||
| INSTALL.md | ||
| LICENSE.txt | ||
| Makefile | ||
| NJA3.md | ||
| README.md | ||
| drop_privileges.go | ||
| error.html | ||
| formatting.go | ||
| go.mod | ||
| go.sum | ||
| index.gmi | ||
| index.html | ||
| request.go | ||
| response.go | ||
| script.js | ||
| server.go | ||
| style.css | ||
README.md
TLS Client Hello Mirror
This test:
- reflects the complete Client Hello message in multiple forms, preserving the order in which TLS parameters and extensions are sent;
- can be used to check for TLS privacy pitfalls (session resumption, TLS fingerprinting, system time exposure);
- supports both HTTP and Gemini on the same port;
- is free as in freedom and trivial to self-host.
A live instance is running at tlsprivacy.nervuri.net.
Installation
See INSTALL.md.
API documentation
This test exposes two JSON endpoints:
See DOC.md for details.
Wishlist
- detect client vulnerability to session prolongation attacks
- support early data / 0-RTT (Go's
crypto/tlslibrary currently does not) - support sessionID-based resumption (Go's
crypto/tlslibrary currently does not) - decode more extensions
- token binding (RFCs 8471-8473, formerly Channel ID) can be bad for privacy, but Chromium removed support in 2018. Edge might still support it, though. It may be worth testing for it (add to highlights and add warning in the UI).
Contributing
This project is hosted at tildegit.org. If you don't want to make an account, just shoot me an email with your patch / suggestion / bug report / whatever else.