flexible HTTP/HTTPS proxy server, TLS terminator, X.509 TOFU manager,
browser, written on Go with following
tofuproxyitself. TLS 1.3, session resumption, GOST cryptography (if built with gostls13) support. Connection between
tofuproxyand browser itself uses ephemeral on-the-fly generated certificates with proper domain name.
crypto/x509checks are applied to all certificates. If they pass, then certificate chain is saved on the disk (TOFU, trust-on-first-use). Future connections are compared against it, warning you about SPKI change (SPKI pinning) and waiting for your decision either to accept new chain (possibly once per session), or reject it. Even if native Go’s checks are failed (for example domain still does not use
SubjectAltNameextension), you can still make a decision to forcefully trust the domain.
And additional personal preferences:
www.reddit.comis redirected to
Copyright © 2021-2023 Sergey Matveev