Verify TLS certificates using different network perspectives
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
nervuri 44eb7bb264 init 3 months ago
LICENSE init 3 months ago
README.md init 3 months ago
trust-seeker init 3 months ago

README.md

Trust Seeker

Verify TLS certificates using different network perspectives.

Trust Seeker mixes ideas from:

It is a certificate pinning program that can be run either privately, on the command line, or publicly, as a server-side CGI script. Each public trust seeker can be asked what certificate it sees for a certain host. Client software can query multiple trust seekers, to check for consensus.

It aims to bring as much relevant information as possible to bear on any trust decision. This includes the TLS version and cipher suite, to help defend against downgrade attacks.

It can verify TLS certificates on any host and port, regardless of the protocol underneath: HTTP, DNS (DoT and DoH), e-mail (SMTP, IMAP, POP3), IRC, FTP, Gemini, Gopher), etc.

SSH support is on the roadmap.

Trust Seeker can be used with command line tools that support public key pinning, such as curl and wget, to protect every connection they make. The holy grail is to enable this kind of dynamic key pinning for e-mail server-to-server communication, which currently relies on opportunistic encryption.

Current status

The code is in an early exploratory stage. You can experiment with it, but big changes are planned and there is no regard for backward compatibility at this point.

Contributing

The project is hosted at https://tildegit.org/nervuri/trust-seeker. Just shoot me an email if you don't want to make a tildegit account.