Skip to content

Experiment for spying on SSL clients and collecting certificate info for the remote end.

License

Notifications You must be signed in to change notification settings

dvogel/certspook

Folders and files

NameName
Last commit message
Last commit date

Latest commit

author
Drew Vogel
Mar 12, 2024
9b457d5 · Mar 12, 2024

History

20 Commits
Sep 21, 2023
Sep 7, 2023
Sep 21, 2023
Sep 7, 2023
Sep 20, 2023
Sep 21, 2023
Sep 21, 2023
Jul 25, 2023
Jul 25, 2023
Sep 20, 2023
Mar 12, 2024
Sep 7, 2023
Jul 25, 2023

Repository files navigation

certspook

This project is an experiment to determine if one could use eBPF to reliably capture enough TLS connection details in order to determine which remote certificates a system relies upon.

The spooks were senior constables who wore no uniform, worked in pairs and followed constables about the city and suburbs to see if they did their work properly.

The idea is that eBPF can monitor outgoing connections, determine which are using TLS, and then export enough data to user-space for those certificates to be periodically checked for upcoming expirations.

⚠️
This experiment was able to detect TLS certificate dependencies for many conventional use cases but it was far from being able to observe all such dependencies.
💡
Name resolution is an area experiencing significant change. Many major applications, such as chromium and firefox, use their own custom resolvers. They forego use of the conventional system DNS resolvers and use DNS-over-HTTPS. This creates a double-layer of potential TLS inspection required to achieve the goals of certspook.

About

Experiment for spying on SSL clients and collecting certificate info for the remote end.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published