Issue Date: 15 October 2019 RFQ Number: 2019-36
RFQ Name: Short-Term Technical Assistance (STTA) CertainTLS Developer
Questions due by: 20 Oct 2019 23h00 UTC
Answers will be provided by: 30 Oct 2019 23h00 UTC
Closing Date for offers: 15 Nov 2019 23h00 UTC
Counterpart International is an NGO working in the international development sector. One of Counterpart International ’s projects, the ISC, enhances internet freedom by improving the defensive cybersecurity capabilities of local partners in developing countries.
Problem: HTTPS MiTM Online HTTPS communications via a browser, e.g. with an online service such as Facebook or Google, are normally end-to-end-encrypted via TLS. But the security this system provides depends on the TLS cert being “good,” which in turn depends on it being “anchored” to a trusted cert—which depends on the anchor being trustworthy. But if the end user is trusting a “bad” cert, a monster-in-the-middle attack (MiTM) will be able to read and decrypt her web traffic, inject fake content in real time, and harvest credentials, thereby nullifying the security the end user believed she had. How can a user know whether the certs she’s trusting are all “good”?
Solution: a “trusted certificate checker” … which would determine whether a device’s OS and/or applications is trusting TLS certs it shouldn’t. This application is tentatively called CertainTLS.