freeTSA.org provides a free Time Stamp Authority. Adding a trusted timestamp to code or to an electronic signature provides a digital seal of data integrity and a trusted date and time of when the transaction took place.
$ openssl ts -query -data file.png -no_nonce -sha512 -cert -out file.tsq
Send the TimeStampRequest to freeTSA.org and receive a tsr (TimeStampResponse) file.
$ curl -H "Content-Type: application/timestamp-query" --data-binary '@file.tsq' https://freetsa.org/tsr > file.tsr
With the public Certificates you can verify the TimeStampRequest.
$ openssl ts -verify -in file.tsr -queryfile file.tsq -CAfile cacert.pem -untrusted tsa.crt
###########################################################
# 1. create a tsq file (SHA 512)
###########################################################
openssl ts -query -data file.png -no_nonce -sha512 -out file.tsq
# Option -cert: FreeTSA is expected to include its signing certificate (Root + Intermediate Certificates) in the response. (Optional)
# If the tsq was created with the option "-cert", its verification does not require "-untrusted".
#$ openssl ts -query -data file.png -no_nonce -sha512 -cert -out file.tsq
# How to make Timestamps of many files?
# To timestamp multiple files, create a text file with all their SHA-512 hashes and timestamp it.
# Alternatively, you may pack all the files to be timestamped in a zip/rar/img/tar, etc file and timestamp it.
# Generate a text file with all the hashes of the /var/log/ files
$ find /var/log/ -type f -exec sha512sum {} + > compilation.txt
###########################################################
# 2. cURL Time Stamp Request Input (HTTP / HTTPS)
###########################################################
# HTTP 2.0 in cURL: Get the latest cURL release and use this command: curl --http2.
curl -H "Content-Type: application/timestamp-query" --data-binary '@file.tsq' https://freetsa.org/tsr > file.tsr
# Using the Tor-network.
#$ curl -k --socks5-hostname 127.0.0.1:9050 -H "Content-Type: application/timestamp-query" --data-binary '@file.tsq' https://4bvu5sj5xok272x6cjx4uurvsbsdigaxfmzqy3n3eita272vfopforqd.onion/tsr > file.tsr
# tsget is very useful to stamp multiple time-stamp-queries: https://www.openssl.org/docs/manmaster/apps/tsget.html
#$ tsget -h https://freetsa.org/tsr file1.tsq file2.tsq file3.tsq
###########################################################
# 3. Verify tsr file
###########################################################
wget https://freetsa.org/files/tsa.crt
wget https://freetsa.org/files/cacert.pem
# Timestamp Information.
openssl ts -reply -in file.tsr -text
# Verify (two diferent ways).
# openssl ts -verify -data file -in file.tsr -CAfile cacert.pem -untrusted tsa.crt
openssl ts -verify -in file.tsr -queryfile file.tsq -CAfile cacert.pem -untrusted tsa.crt
# Verification: OK
$ perl client.pl freetsa.org 318 file client: tsq file: file.tsq client: tsr file: file.tsr client: [Connected to freetsa.org:318] client: client: transfer of the file.tsq to the server completed client: 40 file.tsq # By default the TSQ file asks for the certificate chain (Root and Intermediate) to be provided in the response. # If you do not wish to do this you must change line 16 to line 15 of the script.
$ curl --data "screenshot=https://www.fsf.org/&delay=n" https://freetsa.org/screenshot.php > screenshot.pdf $ curl --data "screenshot=https://www.fsf.org/&delay=y" https://freetsa.org/screenshot.php > screenshot.pdf # (I'm Feeling Lucky) ### HTTP 2.0 in cURL: Get the latest cURL release and use this command: curl --http2. ### REST API in Tor: Add "-k --socks5-hostname localhost:9050". # Normal domains within the Tor-network. $ curl -k --socks5-hostname localhost:9050 --data "screenshot=https://www.fsf.org/&delay=y" https://4bvu5sj5xok272x6cjx4uurvsbsdigaxfmzqy3n3eita272vfopforqd.onion/screenshot.php > screenshot.pdf # ".onion" domain within the Internet. $ curl -k --data "screenshot=https://4bvu5sj5xok272x6cjx4uurvsbsdigaxfmzqy3n3eita272vfopforqd.onion/&delay=y&tor=y" https://freetsa.org/screenshot.php > screenshot.pdf # ".onion" domain within the Tor network. $ curl -k --socks5-hostname localhost:9050 --data "screenshot=https://4bvu5sj5xok272x6cjx4uurvsbsdigaxfmzqy3n3eita272vfopforqd.onion/&delay=y&tor=y" https://4bvu5sj5xok272x6cjx4uurvsbsdigaxfmzqy3n3eita272vfopforqd.onion/screenshot.php > screenshot.pdf
# Certificate files. openssl ocsp -sha512 -CAfile cacert.pem -issuer cacert.pem -cert tsa.crt -url http://freetsa.org:2560 -resp_text openssl ocsp -sha512 -CAfile cacert.pem -issuer cacert.pem -cert cacert.pem -url http://freetsa.org:2560 -resp_tex # Serial number. openssl ocsp -sha512 -CAfile cacert.pem -issuer cacert.pem -serial "0xC1E986160DA8E982" -url http://freetsa.org:2560 -resp_text openssl ocsp -sha512 -CAfile cacert.pem -issuer cacert.pem -serial "0xC1E986160DA8E980" -url http://freetsa.org:2560 -resp_text
$ wget http://www.freetsa.org/crl/root_ca.crl $ openssl crl -in root_ca.crl -noout -text
## Normal DNS (Port 53): Any freeTSA IP (IPv4 or IPv6) will give you normal DNS resolution service. ## NTP Server: freetsa.org (IPv4 / IPv6) $ ntpdate freetsa.org ## Freetsa offers DoT on port 853 (IPv4 / IPv6). Systemd-resolved example: /etc/systemd/resolved.conf DNS=2607:f130:0:f8::8198:f3f4#www.freetsa.org 2607:f130:0:f8::817e:69c7#www.freetsa.org 2607:f130:0:f8::ca3e:d470#www.freetsa.org 2607:f130:0:f8::8418:ec2d#www.freetsa.org 2607:f130:0:f8::2e57:96b#www.freetsa.org # Don't use all the interfaces, choose one or two, for example the only IPv4 and some other IPv6 of your choice. ## Two DNSCRYPT FreeTSA servers (No logs, No DNSSEC, No anonymized DNS and No compatible with anonymization (https://github.com/DNSCrypt/dnscrypt-proxy/issues/1251)) Public server address: [2607:f130:0:f8::8418:ec2d]:553 Provider public key: d8ffbb42e031be7a79730b45568d496a4e8acb59aa8366fd6ab91e272a7d16e4 Provider name: 2.dnscrypt-cert.freetsa.org DNS Stamp: sdns://AQcAAAAAAAAAH1syNjA3OmYxMzA6MDpmODo6MzA4NTplOTYxXTo1NTMg2P-7QuAxvnp5cwtFVo1Jak6Ky1mqg2b9arkeJyp9FuQbMi5kbnNjcnlwdC1jZXJ0LmZyZWV0c2Eub3Jn Public server address: 142.171.183.141:553 Provider public key: d8ffbb42e031be7a79730b45568d496a4e8acb59aa8366fd6ab91e272a7d16e4 Provider name: 2.dnscrypt-cert.freetsa.org DNS Stamp: sdns://AQcAAAAAAAAAETE3My44Mi4xOC4yMzg6NTUzINj_u0LgMb56eXMLRVaNSWpOistZqoNm_Wq5HicqfRbkGzIuZG5zY3J5cHQtY2VydC5mcmVldHNhLm9yZw ## DNSCrypt client: https://github.com/DNSCrypt/dnscrypt-proxy
FreeTSA Desktop App
Create a direct link to a chromium/chrome or Firefox app. This just run one command.
### Firefox # Activate SSB In firefox it is necessary: "about:config" > "browser.ssb.enabled true" # On Windows: Firefox > Page Actions (three consecutive dots in the address bar) > "Use this site in App Mode" creates a link on the desktop. # On Linux you could make a simple desktop-link / script with the following command: firefox --ssb https://freetsa.org/index_en_app.php ### Chromium / Chrome. chromium --app=https://freetsa.org/index_en_app.php chrome --app=https://freetsa.org/index_en_app.php
FreeTSA IPv6 Addresses
Any of these IPv6 can be used for OCSP, DNSCRYPT resolution (TCP/UDP), DoT (DNS over TLS), normal DNS and NTP Server.
2607:f130:0:f8::8198:f3f4 2607:f130:0:f8::817e:69c7 2607:f130:0:f8::ca3e:d470 2607:f130:0:f8::8418:ec2d 2607:f130:0:f8::2e57:96b
Security based HTTP response headers
- HPKP helps prevent Man in the Middle attack (MitM) by mitigating fake certificates.
- HSTS forces your browser to use HTTPS, which also mitigages some mitm attacks.
- CSP is a way to combat xss and malware via malicious ad-injection.