blob: 6c999433e165690d18d63b6e5bdde153bcb4e11d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
Here is a nice list of things to do to improve tlsdate:
0) relocate source and configs into subdirs
move code into src/
move configs into configs/
1) hack the client handshake to not leak the clock to the server
set it to all zeros or something cute or something random
2) allow users to pass certs for custom verification
3) add HTTP GET request to avoid network fingerprinting
5) daemonize and regularly slam the clock
6) skew the clock rather than slamming it
7) drop privs earlier
8) audit the code for show stopping bugs
9) make this work with Tor in a proxy safe manner (no DNS mode)
10) pin SSL certs for racket mode
11) verification of remote certificate for Tor nodes
13) account for servers that do not send UTC (Microsoft sends local time)
14) port to nss, gnutls, yassl and other libraries
15) starttls support (smtp, pop, imap, ftp, xmpp)
16) ensure that 32bit time isn't near wrapping time on 32bit systems
17) find others to audit it - we need more eyes!
18) cache recent time to /tmp/tlsdate_stamp or something
19) override client time
ensure we only believe the time to be the one compiled in or...
we read the cache of the time and read that.
20) Add option to tell us the remote time and to also print the difference
Patches welcome!
|
