Time Stamp Authority

freeTSA.org provides a free Time Stamp Authority. Adding a trusted timestamp to code or to an electronic signature provides a digital seal of data integrity and a trusted date and time of when the transaction took place.

Trusted timestamping is the process of securely keeping track of the creation and modification times of a document. Security here means that no one - not even the owner of the document - should be able to change it once it has been recorded provided that the timestamper's integrity is never compromised. FreeTSA trusted timestamping Software as a Service (SaaS) provides an easy method to apply RFC 3161 trusted timestamps to time-sensitive transactions through independently verified and auditable date and UTC (Coordinated Universal Time) sources.

Adding a trusted timestamp to code or to an electronic signature provides a digital seal of data integrity and a trusted date and time of when the transaction took place. Recipients of documents and code with a trusted timestamp can verify when the document or code was digitally or electronically signed, as well as verify that the document or code was not altered after the date the timestamp vouches for. (Readme).

For multiple files, the general concept is that timestamping a single file that contains an aggregate list of fingerprints of other files, also proves that these other files must have existed before the aggregate file was created, provided that both the aggregate file and the referenced file are available during verification process. Freetsa also offers the possibility of URLs timestamps (do not abuse). If you are interested in implementing timestamps on your project / company using the FreeTSA service, you can contact me for specific requirements. Freetsa can also be used within the Tor anonymity network.

Making timestamps from Android/iOS devices is possible and no software installation is required (Video). To timestamp a picture you must go to the "Online Signature" section in the browser, click "Choose a file" and select "Use camera". Once the photo or video are completed, you can download the timestamp (TimeStampResponse). Just that. You also may select any other file available in the device if you choose so.

Freetsa.org offers free OCSP and CRL, NTP, DNSCRYPT, DNS (Port 53) and DNS over TLS (DoT) services for time synchronisation and encrypted name resolution respectively. The resolution of DNSCRYPT (Port 553) do not have any type of restriction (SPAM, Malware, Parental,...). No logs are saved. Like the rest of the services offered by FreeTSA, DoT accepts TCP connections to port 853 on all its IPv4/IPv6 addresses.

Guide: How to sign PDF documents files with time stamp
FreeTSA onion domain (Tor): th3ccojidpgbgv5d.onion (https /http).
RFC 3161 TSA: Time-Stamp Protocol (TSP).
RFC 958 NTP: Network Time Protocol (NTP).
SSL Labs. Certificate Transparency NTP Pool Project associate membership.

Request Digest: sha1 / sha224 / sha256 / sha384 / sha512.

Freetsa TSA Certificate: tsa.crt
Key modulus (sha256): 899ba3d9f777e2a74bdd34302bc06cb3f7a46ac1f565ee128f79fd5dab99d68b

Freetsa CA Certificate: cacert.pem
Key modulus (sha256): a4b1a0a81aef68be1cc985d0f83bd6539cfe84174587f900e15ffe3f65433056

Basics: TCP-based client



Create a tsq (TimeStampRequest) file, which contains a hash of the file you want to sign.
$ openssl ts -query -data file.png -no_nonce -sha512 -cert -out file.tsq
Send the TimeStampRequest to freeTSA.org and receive a tsr (TimeStampResponse) file.
$ curl -H "Content-Type: application/timestamp-query" --data-binary '@file.tsq' https://freetsa.org/tsr > file.tsr
With the public Certificates you can verify the TimeStampRequest.
$ openssl ts -verify -in file.tsr -queryfile file.tsq -CAfile cacert.pem -untrusted tsa.crt
###########################################################
# 1. create a tsq file (SHA 512)
###########################################################
openssl ts -query -data file.png -no_nonce -sha512 -out file.tsq

# Option -cert: FreeTSA is expected to include its signing certificate (Root + Intermediate Certificates) in the response. (Optional)
# If the tsq was created with the option "-cert", its verification does not require "-untrusted".
#$ openssl ts -query -data file.png -no_nonce -sha512 -cert -out file.tsq


# How to make Timestamps of many files?

# To timestamp multiple files, create a text file with all their SHA-512 hashes and timestamp it.
# Alternatively, you may pack all the files to be timestamped in a zip/rar/img/tar, etc file and timestamp it.

# Generate a text file with all the hashes of the /var/log/ files
$ find /var/log/ -type f -exec sha512sum {} + > compilation.txt

###########################################################
# 2. cURL Time Stamp Request Input (HTTP / HTTPS)
###########################################################

# HTTP 2.0 in cURL: Get the latest cURL release and use this command: curl --http2.
curl -H "Content-Type: application/timestamp-query" --data-binary '@file.tsq' https://freetsa.org/tsr > file.tsr

# Using the Tor-network.
#$ curl -k --socks5-hostname 127.0.0.1:9050 -H "Content-Type: application/timestamp-query" --data-binary '@file.tsq' https://th3ccojidpgbgv5d.onion/tsr > file.tsr

# tsget is very useful to stamp multiple time-stamp-queries: https://www.openssl.org/docs/manmaster/apps/tsget.html
#$ tsget -h https://freetsa.org/tsr file1.tsq file2.tsq file3.tsq

###########################################################
# 3. Verify tsr file
###########################################################

wget https://freetsa.org/files/tsa.crt
wget https://freetsa.org/files/cacert.pem

# Timestamp Information.
openssl ts -reply -in file.tsr -text

# Verify (two diferent ways).
# openssl ts -verify -data file -in file.tsr -CAfile cacert.pem -untrusted tsa.crt 
openssl ts -verify -in file.tsr -queryfile file.tsq -CAfile cacert.pem -untrusted tsa.crt
# Verification: OK
Client script download: client.pl

How to use TSA TCP-based client (IPv4/IPv6).
$ perl client.pl freetsa.org 318 file

client: tsq file: file.tsq 
client: tsr file: file.tsr 
client: [Connected to freetsa.org:318]
client: client: transfer of the file.tsq to the server completed 
client: 40	file.tsq

# By default the TSQ file asks for the certificate chain (Root and Intermediate) to be provided in the response. 
# If you do not wish to do this you must change line 16 to line 15 of the script.


Online Signature



The file never leave your browser. Download the TimeSpamtQuery or Response.
Select a tsq and a tsr file. verify

URL screenshot


URL screenshot: Signature + URL timestamps. (Video)

Create evidence of
  • Illegal Internet content / non-repudiation of certain content.
  • Deleted / Edited controversial news.
  • Slander, threats or insults on Internet (social networks) / Scams.
  • Misuse of intellectual property: articles, photographs, plagiarism, etc.
  • Publication of unauthorized information
  • Simply demonstrate the existence of a specific content at a specific time.
$ curl --data "screenshot=https://www.fsf.org/&delay=n" https://freetsa.org/screenshot.php > screenshot.pdf
$ curl --data "screenshot=https://www.fsf.org/&delay=y" https://freetsa.org/screenshot.php > screenshot.pdf # (I'm Feeling Lucky)

### HTTP 2.0 in cURL: Get the latest cURL release and use this command: curl --http2.

### REST API in Tor: Add "-k --socks5-hostname localhost:9050".

# Normal domains within the Tor-network.
$ curl -k --socks5-hostname localhost:9050 --data "screenshot=https://www.fsf.org/&delay=y" https://th3ccojidpgbgv5d.onion/screenshot.php > screenshot.pdf

# ".onion" domain within the Internet.
$ curl -k --data "screenshot=https://th3ccojidpgbgv5d.onion/&delay=y&tor=y" https://freetsa.org/screenshot.php > screenshot.pdf

# ".onion" domain within the Tor network.
$ curl -k --socks5-hostname localhost:9050 --data "screenshot=https://th3ccojidpgbgv5d.onion/&delay=y&tor=y" https://th3ccojidpgbgv5d.onion/screenshot.php > screenshot.pdf
Option 1: Screenshot browser button.
1. Drag the bookmarklet "URL screenshot" to your Bookmarks Toolbar or Links Bar.
2. While viewing a page you want to use the bookmarklet on, click the bookmarklet from your Bookmarks Toolbar.

Option 2: Screenshot browser button (with icon).
Integrating an easy "URL screenshot" button in your favorite browser. (Download bookmark).

- Firefox: Import Bookmark / Toolbar Button.
- Opera:Import Bookmark / Toolbar Button.
- Chrome: Import Bookmark / Toolbar Button.


URL screenshot online

Web content and links in PDF / PNG format (attachment) + Signature with Timestamping (SHA-512). Aprox wait time 25 secons.
Browser agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0'

Other informations



OCSP SERVER: http://www.freetsa.org:2560
$ openssl ocsp -sha512 -CAfile cacert.pem -issuer cacert.pem -cert tsa.crt -url http://freetsa.org:2560 -resp_text

CRL (Revocation List): https://www.freetsa.org/crl/root_ca.crl
$ wget http://www.freetsa.org/crl/root_ca.crl
$ openssl crl -in root_ca.crl -noout -text

NTP, DNS, DoT and DNSCRYPT services
## Normal DNS (Port 53): Any freeTSA IP (IPv4 or IPv6) will give you normal DNS resolution service.

## NTP Server: freetsa.org (IPv4 / IPv6)

$ ntpdate freetsa.org

## Freetsa offers DoT on port 853 (IPv4 / IPv6). Systemd-resolved example: /etc/systemd/resolved.conf 

DNS=2607:f130:0:f8::3085:e961#www.freetsa.org 2607:f130:0:f8::c5a7:17a4#www.freetsa.org 2607:f130:0:f8::73a7:a9f6#freetsa.org 2607:f130:0:f8::4a5c:6f8c#freetsa.org 2607:f130:0:f8::7e72:6308#freetsa.org 2607:f130:0:f8::a514:d89a#freetsa.org 2607:f130:0:f8::2bab:3a16#freetsa.org 2607:f130:0:f8::c619:9640#freetsa.org 2607:f130:0:f8::4fb7:9035#freetsa.org 2607:f130:0:f8::4c85:a645#www.freetsa.org fe80::216:3cff:fe7d:d4d9#freetsa.org
# Don't use all the interfaces, choose one or two, for example the only IPv4 and some other IPv6 of your choice.

## Two DNSCRYPT FreeTSA servers (No logs, No DNSSEC, No anonymized DNS and No compatible with anonymization (https://github.com/DNSCrypt/dnscrypt-proxy/issues/1251))

Public server address: [2607:f130:0:f8::3085:e961]:553
Provider public key: d8ffbb42e031be7a79730b45568d496a4e8acb59aa8366fd6ab91e272a7d16e4
Provider name: 2.dnscrypt-cert.freetsa.org
DNS Stamp: sdns://AQcAAAAAAAAAH1syNjA3OmYxMzA6MDpmODo6MzA4NTplOTYxXTo1NTMg2P-7QuAxvnp5cwtFVo1Jak6Ky1mqg2b9arkeJyp9FuQbMi5kbnNjcnlwdC1jZXJ0LmZyZWV0c2Eub3Jn

Public server address: 173.82.18.238:553
Provider public key: d8ffbb42e031be7a79730b45568d496a4e8acb59aa8366fd6ab91e272a7d16e4
Provider name: 2.dnscrypt-cert.freetsa.org
DNS Stamp: sdns://AQcAAAAAAAAAETE3My44Mi4xOC4yMzg6NTUzINj_u0LgMb56eXMLRVaNSWpOistZqoNm_Wq5HicqfRbkGzIuZG5zY3J5cHQtY2VydC5mcmVldHNhLm9yZw

## DNSCrypt client: https://github.com/DNSCrypt/dnscrypt-proxy

FreeTSA Desktop App
Create a direct link to a chromium/chrome or Firefox app. This just run one command.

### Firefox
# Activate SSB In firefox it is necessary: "about:config" > "browser.ssb.enabled true"
# On Windows: Firefox > Page Actions (three consecutive dots in the address bar) > "Use this site in App Mode" creates a link on the desktop.
# On Linux you could make a simple desktop-link / script with the following command:
firefox --ssb https://freetsa.org/index_en_app.php


### Chromium / Chrome.
chromium --app=https://freetsa.org/index_en_app.php
chrome --app=https://freetsa.org/index_en_app.php

FreeTSA IPv6 Addresses
Any of these IPv6 can be used for OCSP, DNSCRYPT resolution (TCP/UDP), DoT (DNS over TLS), normal DNS and NTP Server.

2607:f130:0:f8::3085:e961
2607:f130:0:f8::c5a7:17a4
2607:f130:0:f8::73a7:a9f6
2607:f130:0:f8::4a5c:6f8c
2607:f130:0:f8::7e72:6308
2607:f130:0:f8::a514:d89a
2607:f130:0:f8::2bab:3a16
2607:f130:0:f8::c619:9640
2607:f130:0:f8::4fb7:9035
2607:f130:0:f8::4c85:a645

Security based HTTP response headers
- HPKP helps prevent Man in the Middle attack (MitM) by mitigating fake certificates.
- HSTS forces your browser to use HTTPS, which also mitigages some mitm attacks.
- CSP is a way to combat xss and malware via malicious ad-injection.