luct-server 0.1.0

Server implementing a certificate transparency log
Documentation
  • Coverage
  • 0%
    0 out of 1 items documented0 out of 0 items with examples
  • Size
  • Source code size: 6.03 kB This is the summed size of all the files inside the crates.io package for this release.
  • Documentation size: 228.27 kB This is the summed size of all files generated by rustdoc for all configured targets
  • Ø build duration
  • this release: 44s Average build duration of successful builds.
  • all releases: 18s Average build duration of successful builds in releases after 2024-10-23.
  • Links
  • Homepage
  • Sawchord/luct
    5 0 0
  • crates.io
  • Dependencies
  • Versions
  • Owners
  • Sawchord

luCT

luCT (pronounced "lucid") is a digital self defense tool that adds an extra layer of security to HTTPs by auditing certificate's log inclusion proofs locally in real time, as you browse.

Quick Start

  1. Install the Firefox extension
  2. Browse normally
  3. Look for the indicator when CT inclusion is verified

Status

This project is 🚧 experimental and not yet audited 🚧.

  • ❗ Bugs are likely
  • ❗ False positives/negatives may occur
  • ❗ Do not rely on this for critical security decisions

At this point in time, use it for testing, research, and exploration only.

Building

To build and test luCT yourself, see the build instructions.

How it works

Certificate transparency helps to improve the security of the Web by requiring certificate authorities to log their certificates in an append only log. Logs return a signed certificate timestamp (SCT) to the certificate authority.

Browsers require that there are SCTs in a certificate when establishing a TLS connection and refuse connection otherwise. However, the SCT is just a signed promise that the certificate will be included in the log eventually. Browsers do not actually follow the logs and check inclusion proofs of SCTs that they come by.

luCT closes that gap by checking log inclusions while you browse. If everything checks out, it gives an additional checkmark indicator. It is planned to extend luCT over time, such that it includes more and more guarantees over time.

Privacy

Querying CT logs directly reveals which sites you visit.

luCT avoids this using an oblivious TLS proxy:

  • Proxy sees your IP, but not your request
  • Log sees the request, but not your IP

Result: no single party can link you to your browsing activity

If you use a VPN or Tor, you can disable the proxy.

luCT does not collect any telemetry.

Permissions

The extension requires the following permissions:

  • <all_urls>, webRequest, webRequestBlocking

    Are needed such that luCT can intercept the browsers HTTPs requests to extract the certificate chains used during TLS handshake. The signed certificate timestamps are then extracted from these certificates.

  • activeTab and tabs

    Are needed to keep track of which tab is currently active, when tabs are being closed or their document url changes. luCT needs to keep track of that, to display the correct safety status and sidebar information.

  • unlimitedStorage

    Is needed to store more than 10MB of data. Usually, luCT should keep well below that.

Contributing

PRs are welcome!

The project is in an early stage, so there are still many things unsettled and moving around.

Before starting major changes, it would be best to get into contact with me first, for example via matrix.

Repository overview

Here is a short overview of what is where in the repository:

  • extension/src: Firefox extension svelte UI
  • extension/luct: Firefox extension data, manifest, etc.
  • luct: Luct CLI tool
  • luct-client: Implementation of clients to connect to logs and fetch data.
  • luct-core: CT parsing and verification (RFC6962)
  • luct-extension: Rust side of the firefox extension. Implements a wrapper around luct-scanner and some necessary infrastructure for running it in a browser.
  • luct-node: Executable that supports server functionality used in luct-scanner, such as the oblivious TLS proxy. This is NOT a log implementation.
  • luct-otlsp: Integration of otlsp-client as a luct-client
  • luct-scanner: Core auditing logic.
  • luct-server: Placeholder for potential future log implementation
  • luct-store: Implementations to store CT artifacts.
  • luct-test: Collection of test code used in development
  • otlsp-*core*: Oblivious TLS proxy implementation

License

At your discretion: