opensnitch icon indicating copy to clipboard operation
opensnitch copied to clipboard

Published 20 hours ago verified publisher icon evilsocket

collect statistics about CA

Open evilsocket opened this issue 6 years ago • 4 comments

while apps are creating TLS connections, the daemon should (asynchronously) reslove the whole certificates chain of every visited host and collect statistics about what certification authority is being used for each one (incrementing its connection counter in a new by_ca map[string]int field. These new stats should be rendered as a new tab in the UI.

evilsocket avatar Apr 13 '18 09:04 evilsocket

not bad, haven't seen these stats anywhere else!

akatasonov avatar Apr 13 '18 17:04 akatasonov

yeah, i'm personally very curious to see from whom my traffic is protected and encrypted ...

evilsocket avatar Apr 14 '18 19:04 evilsocket

This would be GREAT! Fantastic idea ;-)

aes512 avatar Apr 17 '18 06:04 aes512

Removed this from the 1.0.0 milestone as it'll take more time than I initially thought. There're two ways of handling this:

  1. Whenever a new TLS connection is detected, the daemon can asynchronously connect to the same host and fetch the certificates chain, this adds a lot of overhead and it's generally slow. <-- This is not the correct approach

  2. TLS handshake packets should be intercepted on the Netfilter queue and the Certificates section parsed and extracted from them. The problem is that the whole handshake takes more than just one packet, so the system should collect, reassemble and then parse when the end of the handshake is reached (there's a specific marker for it). <-- This is

The second approach is being developed on the passive-tls-query branch.

evilsocket avatar Apr 17 '18 10:04 evilsocket