GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → appmattus → certificatetransparency

appmattus / certificatetransparency

Licence: Apache-2.0 license
Certificate transparency for Android and JVM

Programming Languages

kotlin
9241 projects
java
68154 projects - #9 most used programming language

Labels

androidsslsecuritycertificate-transparencyhacktoberfest

Projects that are alternatives of or similar to certificatetransparency

Pki
The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
Stars: ✭ 97 (+53.97%)
Mutual labels:  ssl, certificate-transparency
Axeman
Axeman is a utility to retrieve certificates from Certificate Transparency Lists (CTLs)
Stars: ✭ 125 (+98.41%)
Mutual labels:  ssl, certificate-transparency
CheckSSL
🔒Check your site's SSL status using curl & bash
Stars: ✭ 41 (-34.92%)
Mutual labels:  ssl, certificate-transparency
httpsbook
《深入浅出HTTPS:从原理到实战》代码示例、勘误、反馈、讨论
Stars: ✭ 77 (+22.22%)
Mutual labels:  ssl
dderl
Web based Data Explorer / Data Jump Station with Erlang In-Memory Support
Stars: ✭ 23 (-63.49%)
Mutual labels:  ssl
protobuf-ipc-example
Protocol buffer IPC example
Stars: ✭ 19 (-69.84%)
Mutual labels:  ssl
tlstools
🔐 CLI tool to analyze, troubleshoot or inspect SSL certificates, requests or keys.
Stars: ✭ 45 (-28.57%)
Mutual labels:  ssl
boost-wintls
Native Windows TLS stream wrapper for use with boost::asio
Stars: ✭ 24 (-61.9%)
Mutual labels:  ssl
wolfssl-py
Python wrapper for wolfSSL embedded SSL/TLS library.
Stars: ✭ 30 (-52.38%)
Mutual labels:  ssl
android-ssl
Android SSL certificate validation vulnerability detection tools.
Stars: ✭ 17 (-73.02%)
Mutual labels:  ssl
High-Traffic-wordpress-server-configuration
High Traffic WordPress server configuration Nginx (updated) PHP 7.4 PHP-fpm Mariadb (updated) Wordpress (updated) Cloudflare Full SSL
Stars: ✭ 31 (-50.79%)
Mutual labels:  ssl
mail
golang send mail with SSL,TLS and support NTLM,LOGIN,PLAIN AUTH...
Stars: ✭ 29 (-53.97%)
Mutual labels:  ssl
wile
Stripped down letsencrypt (ACME) client
Stars: ✭ 15 (-76.19%)
Mutual labels:  ssl
ssl-handshake
A command-line tool for testing SSL/TLS handshake latency, written in Go.
Stars: ✭ 41 (-34.92%)
Mutual labels:  ssl
phoenix-client-ssl
Set of Plugs / Lib to help with SSL Client Auth.
Stars: ✭ 18 (-71.43%)
Mutual labels:  ssl
ronin-support
A support library for Ronin. Like activesupport, but for hacking!
Stars: ✭ 23 (-63.49%)
Mutual labels:  ssl
ZLToolKit
一个基于C++11的轻量级网络框架,基于线程池技术可以实现大并发网络IO
Stars: ✭ 1,302 (+1966.67%)
Mutual labels:  ssl
one-scan
多合一网站指纹扫描器,轻松获取网站的 IP / DNS 服务商 / 子域名 / HTTPS 证书 / WHOIS / 开发框架 / WAF 等信息
Stars: ✭ 44 (-30.16%)
Mutual labels:  ssl
SuperSimpleTcp
Simple wrapper for TCP client and server in C# with SSL support
Stars: ✭ 263 (+317.46%)
Mutual labels:  ssl
acme2
Another PHP client for acme protocal (version 2) implementation, used for generating letsencrypt's free ssl certificates.
Stars: ✭ 45 (-28.57%)
Mutual labels:  ssl
View All Similar Projects ➔

Certificate transparency for Android and JVM

CI status codecov Maven Central

To protect our apps from man-in-the-middle attacks one of the first things that usually springs to mind is certificate pinning. However, the issues of certificate pinning are numerous. Firstly deciding on a reliable set of keys to pin against is tough. Once you made that decision if your expectations don't match reality your users suffer from not being able to access your app or website. Smashing Magazine learnt about this the hard way in late 2016 when they blocked users access for up to a year because of a mismatch between the pins and the certificates. On mobile fixing an invalid pin means pushing out a new version of an app which can still take a while to reach every user.

So with certificate pinning falling out of favour, what should you do? The new kid in town is certificate transparency.

Security

We are open about the security of our library and provide a threat model in the source code, created using OWASP Threat Dragon. If you feel there is something we have missed please reach out so we can keep this up to date.

Getting started

Maven Central

For Android modules include the android dependency in your build.gradle file which ensures the necessary ProGuard rules are present:

implementation("com.appmattus.certificatetransparency:certificatetransparency-android:<latest-version>")

For Java library modules include the dependency as follows:

implementation("com.appmattus.certificatetransparency:certificatetransparency:<latest-version>")

On Android it is recommended to configure certificate transparency through the provided Java Security Provider at app startup, which can be configured through installCertificateTransparencyProvider. The advantage of this setup is it should work across all network types including WebViews with no additional setup.

⚠️ Android's WebViews only allow you to override GET network requests through overriding the shouldInterceptRequest method. This means the only reliable way to implement certificate transparency in WebViews is to use the Java Security Provider documented here.

class SampleApplication : Application() {
    override fun onCreate() {
        super.onCreate()

        installCertificateTransparencyProvider {
            // Setup a logger
            logger = BasicAndroidCTLogger(BuildConfig.DEBUG)

            // Exclude any subdomain but not "appmattus.com" with no subdomain
            -"*.appmattus.com"

            // Exclude specified domain
            -"example.com"

            // Override the exclusion by including a specific subdomain
            +"allowed.appmattus.com"
        }
    }
}

Take a look at the advanced configuration for documentation on all the available options.

⚠️ Using the Java Security Provider may not work on all JVMs so if you are not on Android you are recommended to use one of the alternatives documented below.

Certificate transparency can also be setup in specific network connections, instructions are available for:

Currently, there is no support in the library for Apache HttpClient.

Certificate revocation

Unfortunately in Android there is no built-in support for certificate revocation, which means you're basically on your own. This is an incredibly hard to solve problem and it is worth reading revocation is broken for more background. Needless to say I would argue that revocation is flawed along with the broken implementations in mobile and web browsers.

For our purposes we've added certificateRevocationInterceptor to this library:

certificateRevocationInterceptor {
    addCrl(
        issuerDistinguishedName = "ME0xCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIgU2VjdXJlIFNlcnZlciBDQQ==",
        serialNumbers = listOf("Aa8e+91erglSMgsk/mtVaA==", "A3G1iob2zpw+y3v0L5II/A==")
    )
}

It is worth highlighting that the list of revoked certificates would need to be built into the app and so would require pushing out an app update should you want to add a revocation in. This does mean there's a small window for any attacks using a revoked certificate.

Contributing

Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us.

Versioning

We use SemVer for versioning. For the versions available, see the tags on this repository.

License

License

This project is licensed under the Apache License, Version 2.0 - see the LICENSE.md file for details

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].