Skip to content
View certaintls's full-sized avatar

Block or report certaintls

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Please don't include any personal information such as legal names or email addresses. Maximum 100 characters, markdown supported. This note will be visible to only you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
certaintls/README.md

CertainTLS

A “trusted certificate checker” … which would determine whether a device’s OS and/or applications is trusting root TLS certs it shouldn’t. Automated tests

Problem statement

Online HTTPS communications (e.g. via a browser) with an online service such as Facebook or Gmail are normally end-to-end-encrypted using TLS. But the security this system provides depends on the TLS public cert presented by the remote service being “good,” which in turn depends on it being “anchored” to a trusted cert—which depends on the anchor being trustworthy. But if the end user is trusting a “bad” root cert (for whatever reason), a monster-in-the-middle attack (MitM) will be able to read and decrypt their web traffic, inject fake content in real time, and harvest credentials, thereby nullifying the security the end user believed they had. How can a user know whether the root certs they're trusting are all “good”?

How does CertainTLS work?

CertainTLS consists of two parts: a multi-platform app, and a back-end server. The server periodically aggregates the "canonical" root certificates from the Google Android pipeline, Apple MacOS pipeline, Microsoft Windows pipline and Mozilla Mozilla pipeline certificate authority programs. CertainTLS's back end then analyzes these certificates and marks the ones from certificate authorities (CAs) in the countries whose Freedom in the World score's lower than 40 as untrustworthy. The CertainTLS app scans both the root certificates shipped by the OS and user-installed trusted root certificates, then validates each of them against the CertainTLS back end's "source of truth," and displays the result in the app, i.e. flagging root certs which are being trusted but maybe shouldn't be. The app also supports OSes' specific way to distrust certificates. Due to different security models and the app's limitation as a "third-party tool" in different OSes, CertainTLS currently supports Android, macOS, and Windows, but not (yet?) iOS, and the app's functionality on each platform differs slightly. For more information about which features are supported on each platform, please see here.

The impetus to develop CertainTLS came from inter alia the (allegedly Iranian) 2011 DigiNotar hack, China's 2015 Great Cannon (not a root cert problem but, more generally, an authoritarian government's willingness to force domestic private actors to compromise the internet's security), and the 2019 middling (by the КНБ) of all access to ~250 key foreign sites (including Facebook and Gmail) by all netizens using Kazakhstan's biggest ISP in that country's capital—supposedly "a test," but, well ...

Download the app

From the trusted distribution channel (recommended):

Get it on Google Play

From github.com CertainTLS releases:

Download directly

Download Windows version Certaintls Windowns release 1.4.3.zip

Download MacOS version Certaintls Mac release 1.4.1.zip

Contribution guidline

You are invited to contribute new features, fixes, or updates, large or small; we are always thrilled to receive pull requests, and do our best to process them as fast as we can. Besides the code, a reproducible bug report or documentation improvement is also welcome. To start filing bugs or asking questions, please use the CertainTLS app's GitHub issues. You are also welcomed to submit your feedback or suggestion to [email protected].

Technical documentation

Privacy Policy

Read the CertainTLS privacy policy

Sponsorship

Creation of CertainTLS was underwritten by the USAID-funded Information Safety & Capacity Project (ISC) via a grant to Counterpart International, an international NGO working in the civil society development sector. The ISC supports internet freedom by improving the defensive cybersecurity capabilities of local partners (rights-defending activists, journalists) in developing countries.

Popular repositories Loading

  1. build-VPN-server build-VPN-server Public

    Use Github workflow to build your own VPN server(s) in one minute ⚡

    Shell 19 28

  2. certaintls certaintls Public

    Introduction documentation repo

    8 3

  3. certaintls.app certaintls.app Public

    CertainTLS Android, iOS, Mac, Windows apps built on Flutter

    Dart 3

  4. certaintls.backend certaintls.backend Public

    Certaintls.app backend powered by Drupal

    PHP 1 2

  5. shapeshifter-transports shapeshifter-transports Public

    Forked from OperatorFoundation/shapeshifter-transports

    Shapeshifter Transports is a set of Pluggable Transports implementing the Go API from the Pluggable Transports 2.0 specification

    Go

  6. gost gost Public

    Forked from go-gost/gost

    GO Simple Tunnel - a simple tunnel written in golang

    Go