1 2Here is a nice list of things to do to improve tlsdate: 3 4 5 1) hack the client handshake to not leak the clock to the server 6 set it to all zeros or something cute or something random 7 8 3) add HTTP GET request to avoid network fingerprinting 9 6) skew the clock rather than slamming it 1011) verification of remote certificate for Tor nodes 1113) account for servers that do not send UTC (Microsoft sends local time) 1214) port to bssl, nss, gnutls, yassl, and other libraries 1315) starttls support (smtp, pop, imap, ftp, xmpp) 1416) ensure that 32bit time isn't near wrapping time on 32bit systems 1517) find others to audit it - we need more eyes! 1620) Add verification of remote servers by DANE/CAA DNSSEC protected records 1721) Integrate Chrome's CRL list into tlsdate 1822) Block revoked or bad certs such as MD5 inc. and others. 1924) Add OCSP check option 2025) Block weak signature algorithms 2126) Hard code block list of known horrible certs (extract from Chrome/FF) 2228) Check that extended key usage is empty, or includes TLS Server Auth 2329) extract the SubjectPublicKeyInfo from the certificates; match against 24 public keys 2531) Confirm HTTP and TLS date is within a sane range 2632) Integrate tack support https://github.com/tack/tackc 2733) Implement checking of RFC 2818 style wildcards: 28 http://wiki.cacert.org/WildcardCertificates 2935) seatbelt profile for Mac OS X 3036) SELinux policy for GNU/Linux platforms 3137) Port to some Windows operating system that anyone actually uses 3242) Unit-test everything 3347) Review cert validation and compare it with Chrome: 34 https://code.google.com/p/chromium/codesearch#chrome/src/net/base/x509_certificate.cc&l=500 3548) Complain when server uses very weak DH group parameters 36 example weak server: https://demo.cmrg.net/ 3749) Add seccomp tlsdate and tlsdate-helper 3850) Add AppArmor fixes for Tails 3952) Port tlsdated to FreeBSD and other non GNU/Linux systems 40 41Patches welcome! 42 43