Skip to content

audit F-Droid's TLS/HTTP usage for info leaks

  • TLS client_random - this may contain the user's current time, enabling tracking based on clock skew
  • TLS Session IDs
  • TLS Session Tickets
  • client certs - don't send em. They're in plaintext. Requesting them by the server usually leaks the client Cert CA configured on the server.
  • TLS SNI is in plaintext
  • Unusual features like trusted_ca_keys, SRP, and cached_info (the last one is new) will also enable tracking.
  • HSTS and HPKP Headers can be used as supercookies. Browsers may copy the state into private browsing mode also.
  • Content Security Policy (CSP) Pinning can be used as a supercookie

Certificate/Path Building Stuff

Notation: R -> I -> E : Root cert signed an Intermediate Cert signed an End-Entity Cert EE - end entity or a cert for a website

  • You can learn clock skew using expired or about-to-expire certificates.

  • Intermediate Caching - some stacks cache intermediates, meaning a webserver can send R -> I -> E on connection 1, and then send E on connection 2. If I was not cached, the client shows a certificate error and does not connect. If it is cached, then it connects.

  • Name Constrained Intermediates - eventually, we'll start seeing NC-ed intermediates being operated by websites. Imagine you have a CA cert that can issue for *.guardianproject.info - you then get to issue as many EE certs as you want. This makes it easier for you to do tracking in stuff like intermediate caching, PKP, and clock skew.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information