diff options
Diffstat (limited to 'TODO')
-rw-r--r-- | TODO | 42 |
1 files changed, 42 insertions, 0 deletions
@@ -0,0 +1,42 @@ + +Here is a nice list of things to do to improve tlsdate: + + + 1) hack the client handshake to not leak the clock to the server + set it to all zeros or something cute or something random + + 3) add HTTP GET request to avoid network fingerprinting + 6) skew the clock rather than slamming it +11) verification of remote certificate for Tor nodes +13) account for servers that do not send UTC (Microsoft sends local time) +14) port to bssl, nss, gnutls, yassl, and other libraries +15) starttls support (smtp, pop, imap, ftp, xmpp) +16) ensure that 32bit time isn't near wrapping time on 32bit systems +17) find others to audit it - we need more eyes! +20) Add verification of remote servers by DANE/CAA DNSSEC protected records +21) Integrate Chrome's CRL list into tlsdate +22) Block revoked or bad certs such as MD5 inc. and others. +24) Add OCSP check option +25) Block weak signature algorithms +26) Hard code block list of known horrible certs (extract from Chrome/FF) +28) Check that extended key usage is empty, or includes TLS Server Auth +29) extract the SubjectPublicKeyInfo from the certificates; match against + public keys +31) Confirm HTTP and TLS date is within a sane range +32) Integrate tack support https://github.com/tack/tackc +33) Implement checking of RFC 2818 style wildcards: + http://wiki.cacert.org/WildcardCertificates +35) seatbelt profile for Mac OS X +36) SELinux policy for GNU/Linux platforms +37) Port to some Windows operating system that anyone actually uses +42) Unit-test everything +47) Review cert validation and compare it with Chrome: + https://code.google.com/p/chromium/codesearch#chrome/src/net/base/x509_certificate.cc&l=500 +48) Complain when server uses very weak DH group parameters + example weak server: https://demo.cmrg.net/ +49) Add seccomp tlsdate and tlsdate-helper +50) Add AppArmor fixes for Tails +52) Port tlsdated to FreeBSD and other non GNU/Linux systems + +Patches welcome! + |