aboutsummaryrefslogtreecommitdiff
path: root/TODO
diff options
context:
space:
mode:
Diffstat (limited to 'TODO')
-rw-r--r--TODO42
1 files changed, 42 insertions, 0 deletions
diff --git a/TODO b/TODO
new file mode 100644
index 0000000..75cc095
--- /dev/null
+++ b/TODO
@@ -0,0 +1,42 @@
+
+Here is a nice list of things to do to improve tlsdate:
+
+
+ 1) hack the client handshake to not leak the clock to the server
+ set it to all zeros or something cute or something random
+
+ 3) add HTTP GET request to avoid network fingerprinting
+ 6) skew the clock rather than slamming it
+11) verification of remote certificate for Tor nodes
+13) account for servers that do not send UTC (Microsoft sends local time)
+14) port to bssl, nss, gnutls, yassl, and other libraries
+15) starttls support (smtp, pop, imap, ftp, xmpp)
+16) ensure that 32bit time isn't near wrapping time on 32bit systems
+17) find others to audit it - we need more eyes!
+20) Add verification of remote servers by DANE/CAA DNSSEC protected records
+21) Integrate Chrome's CRL list into tlsdate
+22) Block revoked or bad certs such as MD5 inc. and others.
+24) Add OCSP check option
+25) Block weak signature algorithms
+26) Hard code block list of known horrible certs (extract from Chrome/FF)
+28) Check that extended key usage is empty, or includes TLS Server Auth
+29) extract the SubjectPublicKeyInfo from the certificates; match against
+ public keys
+31) Confirm HTTP and TLS date is within a sane range
+32) Integrate tack support https://github.com/tack/tackc
+33) Implement checking of RFC 2818 style wildcards:
+ http://wiki.cacert.org/WildcardCertificates
+35) seatbelt profile for Mac OS X
+36) SELinux policy for GNU/Linux platforms
+37) Port to some Windows operating system that anyone actually uses
+42) Unit-test everything
+47) Review cert validation and compare it with Chrome:
+ https://code.google.com/p/chromium/codesearch#chrome/src/net/base/x509_certificate.cc&l=500
+48) Complain when server uses very weak DH group parameters
+ example weak server: https://demo.cmrg.net/
+49) Add seccomp tlsdate and tlsdate-helper
+50) Add AppArmor fixes for Tails
+52) Port tlsdated to FreeBSD and other non GNU/Linux systems
+
+Patches welcome!
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-23 07:35:55 +0000