Skip to content
website

Technology

Tisura’s certification engine is based on a novel application of TLS reverse engineering and zero-knowledge cryptography. It allows users to share certified Internet data - documents, API responses, or HTML pages - with cryptographic guarantees of authenticity (who sent it) and integrity (what was sent), without requiring trust in the application server or Tisura.

How It Works

At the core of our system is a transparent proxy that intercepts and decrypts TLS traffic initiated by the user. This proxy is not trusted to access user credentials or decrypt sensitive payloads arbitrarily - instead, it operates under tightly scoped conditions:

  1. User sends an HTTPS request through our proxy (optionally via WebSocket tunnel).
  2. The proxy forwards the request to the destination server and captures both request and response at the packet level.
  3. The user’s browser shares the TLS session key (via a standard SSL key log file) with the proxy.
  4. The proxy uses this key material to decrypt the session, reconstructing the full request and response.
  5. The result is a cryptographically verifiable transcript of the HTTPS exchange:
    • Contains metadata (timestamps, IPs, headers)
    • Includes raw bytes of the request/response
    • Is bound to the original TLS handshake and certificate

This transcript can then be:

  • Signed and included in a certificate file
  • Used to generate zero-knowledge proofs about its contents (e.g., proof of age, proof of bank balance)

Trust Model

We designed our system to minimize the need for trust, even in the presence of a proxy:

ElementTrust AssumptionMitigation
Proxy (Tisura server)Untrusted to modify dataAll data is tied to original TLS handshake
TLS sessionEncrypted channelWe use ephemeral keys shared explicitly by user
Certificate contentsCan be audited independentlySigned hash tree of all request/response data

The only trusted element is the user’s browser, which initiates the session and shares the session key log. This enables self-sovereign certification: the user controls what session is captured and certified.

Use Cases Enabled

By transforming TLS sessions into cryptographic transcripts, we unlock new primitives:

  • Certified document capture (e.g., rent receipts, tax documents)
  • zkKYC – prove attributes (age, residency, etc.) without sharing raw data
  • Intent certification – prove that a user submitted an API call with specific parameters
  • Tamper-proof onboarding – replace screenshot uploads and PDF sharing with verifiable transcripts

Diagram

Technology