Verify TLS certificates using different network perspectives
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
nervuri 6b810f1656 init 4 months ago
server/gemini init 4 months ago
LICENSE init 4 months ago init 4 months ago

Trust Seeker

Verify TLS certificates using different network perspectives.

Let's say you're establishing a TLS connection to a host that responds with a self-signed certificate. It is the first time you've connected to that host; it does not use DANE and does not provide any out-of-band method of verifying the certificate. This leaves you only one way to detect whether or not a man-in-the-middle is trying to intercept your traffic: checking the certificate from other vantage points than your own. This is the only client-initiated solution to this problem. But unless you can connect to the host via some kind of proxy (Tor, perhaps), how can you ask other servers about the certificate of the host you're connecting to? This is the problem Trust Seeker aims to address. In so doing, it also provides a complementary way to check CA-signed certificates.

Currently, a server-side CGI script is available for the Gemini protocol, which is trivial to install and can be queried using any Gemini client. Just provide the host and port and it will return a JSON response. For example, querying for outputs:

  "cert_hash_sha256": "653ffa8e8bf29246fa1057a0c1beb6c18103ebc2839c5a52c2889bffdd10bff9",
  "pubkey_hash_sha256": "ef1183cd044981f977e134ec5a382513f0b662fc52d8183069798165e99795a2",
  "tls_version": 1.3,
  "cipher_suite": "TLS_AES_256_GCM_SHA384",
  "ip_addresses": [

Current status

The code is in an early exploratory stage. You can experiment with it, but there is no regard for backward compatibility at this point.

Prior work


This project is hosted at If you don't want to make an account, just shoot me an email with your patch / suggestion / bug report / whatever else.