🔐 iBrowe TLS (Transport Layer Security) Implementation Overview
This document provides insight into how TLS (formerly SSL) is implemented and enforced in iBrowe across various platforms.
⚙️ TLS Implementation
-
Desktop & Android
iBrowe leverages the unmodified upstream Chromium TLS stack. -
iOS
TLS connections are handled by the native operating system APIs (Apple’s networking stack).
🏛️ Root Certificate Store
-
Desktop & Android
iBrowe uses the same root store as Chrome:
https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/faq.md -
iOS
The Apple root store is used via system APIs.
📌 Root Pinning & HSTS Preloading
- iBrowe enables enforcement of both root pinning and HSTS preloading.
- Instead of using Chrome’s embedded list, iBrowe maintains its own version:
https://github.com/ibrowe/ibrowe-core/blob/main/chromium_src/net/tools/transport_security_state_generator/input_file_parsers.cc
🔍 Test Domains
https://ssl-pinning.someblog.org/→ Expected to trigger a TLS error and be blockedhttps://pinning-test.badssl.com/→ Should load with a red warning page (no TLS error)
🧾 Certificate Transparency (CT)
-
iOS
Relies on Apple’s CT policy, with support built into WebKit. -
Desktop & Android
iBrowe enforces CT based on Chromium’s policy (started in version1.56).
SCT (Signed Certificate Timestamp) auditing is disabled for now.
Reference:
https://github.com/ibrowe/ibrowe-core/pull/17944
📎 Source: Adapted from Brave TLS documentation, updated for iBrowe with modified structure and links