Freespeachme .bit SNI

https://www.namecoin.org/dot-bit/
Post Reply
cryptosile
Posts: 7
Joined: Sat Aug 30, 2014 2:07 am
os: mac

Freespeachme .bit SNI

Post by cryptosile »

man... i'm i'm starting to go crazy here... I thought I'd be able to get some SSL validation through namecoin by now. See my other post for trying to get DANE + DNSChains working. Now, I'm just trying to get simple fingerprinting through freespeechme working.

My fresspeechme client works fine for https://clipperz.bit However, when I try https://sile.bit it does not work. I've triple checked the certificate fingerprints from firefox matches whats in my record:

{"ip":"162.255.118.6",
"tls":{ "tcp": { "443": [[1,"90638e25012b15862757056dc53673f38f1cc666c5b3eca5d72b84e6c3f4c492", 1]] }},
"map":{ "www": { "alias": "" } }, "fingerprint": "8C:6F:57:57:08:52:03:29:4C:96:E9:E8:19:E5:44:DD:14:07:95:5B"}

I've looked at clipperz to comapre and mine is identical except for that I have the additional TLS record. I'll try remvoing that and see what happens. I'm going to waste all my NMC getting this to work.

However, if it still fails after that. The only thing I can think of is that I'm using Server Name Indicator (SNI) and that is somehow making the validation break. I don't know. Anyone know why freespeechme doesn't like my domain ?

https://sile.bit

Thanks!

foglight
Posts: 34
Joined: Tue Jul 09, 2013 9:46 pm

Re: Freespeachme .bit SNI

Post by foglight »

im sorry, i can't really help you... but i thought i would let you know that i can access your website using meowbit software.

cryptosile
Posts: 7
Joined: Sat Aug 30, 2014 2:07 am
os: mac

Re: Freespeachme .bit SNI

Post by cryptosile »

Thanks for taking a look!

I did it!!! Yeah!!! I finally got freespeechme to say verified!!

I've confimred that SNI is what is causing problems with FreeSpeechMe. Meowbit, as far as I know doesn't do any verification of the certificate. (someone correct me if i'm wrong here.)

Freespeech me is much more complicated than I initally thought. I was able to get it to work with SNI by changing line:

Change freespeechme/chrome/content/workers/ConnectionWorker.js Line: 463

targetSocket = new ConvergenceClientSocket(destination.host,
destination.port,
new_proxy);

But, then you have to also use another tool to make sure that System wide queries are .bit aware. I changed my /etc/resolv.conf to include one of the public resolvers: nameserver 192.184.93.146

So, that works... and is actually safe because we still have freespeechme validating the certficate directly from the namecoin... anyway. I'm exchausted... I had hoped it would be much easier than this.

For anyone else trying to debug freespeechme I had to turn on this about:config option to see all the debug messages on the console:
browser.dom.window.dump.enabled

then I had to learn about what an XPI is etc....

I think namecoin is great project and I was planning on putting together a big walkthrough video but it just doesn't seem possible to make it work with SNI and I don't feel like paying an extra $20 a year per domain for a dedicated IP address. Someone wake me up when we get seemless SNI support , DNSSEC/DANE

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: Freespeachme .bit SNI

Post by biolizard89 »

Hi,

You don't need a dedicated address. Just use the fingerprint that the plain IP address has. FreeSpeechMe doesn't use SNI for 3 reasons (in decreasing order of importance): (1) SNI is a privacy leak, (2) SNI has no security benefit when doing fingerprint-based verification as .bit uses, and (3) Implementation happens to be easier. This is documented on both the FreeSpeechMe GitHub readme, and the FreeSpeechMe.org website.

This behavior should be explicitly stated in the .bit spec; the spec that I will be proposing in the near future will include such a statement.

The SNI backend of FreeSpeechMe will be modified in the future (because it has bugs with .bit sites that resolve to domains rather than IP's), but the current behavior of not using SNI for .bit domains will remain. (Unless someone can supply a compelling reason why it should be changed; this was discussed at length in the IRC and the consensus was the current behavior.)

@foglight, no, you're wrong, you can't access *any* HTTPS .bit sites with MeowBit; that's a major reason why you shouldn't be using MeowBit. Seriously, do you *want* everyone on your WLAN to be able to steal all your passwords? Please don't change the topic like that.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

cryptosile
Posts: 7
Joined: Sat Aug 30, 2014 2:07 am
os: mac

Re: Freespeachme .bit SNI

Post by cryptosile »

I think in the coming years SNI will become much more prevalent. So I think the question really should be to prove why SNI shouldn't be implemented rather than to try and prove why it should. I guess I could use the host IP fingerprint.... I'm essentially trusting them anyways.... somehow it doesn't seem as clean. Potentially you could have an IP load balancer that inspects the SNI header and routes the traffic to the correct backend server. So, as long as I only control that backend server I have better security by publishing only my SNI cert rather than some default host cert fingerprint.

(1) Privacy Leak? How so? If someone has a dedicated IP I can see that connection traffic and make my own connection to see the content of the website, I don't see how SNI leaks any more information than a website with a dedicated IP.

(2) Okay... SNI isn't about security benefits, its about infrastructure benefits and cost benefits. I need to pay $20 more a year to get a dedicated IP and that cost is only going up. I also have several sites... yes i'm a cheap bastard...

(3) Yeah, I see that and understand why after looking how freespeechme works... The root problem here is that the plugin framework doesn't give the access that you need to make the implementation of this easy. If freespeechme was just a patched mozilla, I think the code would be sooooooo much easier than the way it's done with freespeechme.

Here is my video on the subject:

https://www.youtube.com/watch?v=Sex_IrydnCI

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: Freespeachme .bit SNI

Post by biolizard89 »

Hi,
cryptosile wrote:I think in the coming years SNI will become much more prevalent.
I think that as IPv6 increases in usage, SNI will become less and less prevalent. Whether IPv6 will replace IPv4 faster or slower than IPv4 TLS replaces IPv4 non-TLS, is unclear to me.
cryptosile wrote:So I think the question really should be to prove why SNI shouldn't be implemented rather than to try and prove why it should.
Well, I did give the privacy reason, and the implementation annoyance reason. Granted, implementation annoyance isn't an excellent reason by itself.
cryptosile wrote:I guess I could use the host IP fingerprint.... I'm essentially trusting them anyways.... somehow it doesn't seem as clean.
In my opinion, SNI is a very unclean specification.
cryptosile wrote:Potentially you could have an IP load balancer that inspects the SNI header and routes the traffic to the correct backend server. So, as long as I only control that backend server I have better security by publishing only my SNI cert rather than some default host cert fingerprint.
Under what use cases would a DNS-based load balancer not work just as well? (That's a serious question, I'm curious if there's a use case here.)
cryptosile wrote:(1) Privacy Leak? How so? If someone has a dedicated IP I can see that connection traffic and make my own connection to see the content of the website, I don't see how SNI leaks any more information than a website with a dedicated IP.
It leaks the domain name being used to connect to a server. For shared IP's, this information is not at all obvious otherwise, and dedicated IP's who wish to hide this information could inspect the Host HTTP header. SNI makes all that information public whether the server operator wants to or not. It's also somewhat harder to make your own connection to *every* TLS IP address you see (if you're, say, running a dragnet surveillance operation). Not impossible, but more expensive.
cryptosile wrote:(2) Okay... SNI isn't about security benefits, its about infrastructure benefits and cost benefits. I need to pay $20 more a year to get a dedicated IP and that cost is only going up. I also have several sites... yes i'm a cheap bastard...
You don't need a dedicated IP under normal circumstances (as stated before). Also, IPv6 gives you a dedicated IP (probably many of them) for free. If you're a cheap bastard, why are you trying to do a weird load balancing setup?
cryptosile wrote:(3) Yeah, I see that and understand why after looking how freespeechme works... The root problem here is that the plugin framework doesn't give the access that you need to make the implementation of this easy. If freespeechme was just a patched mozilla, I think the code would be sooooooo much easier than the way it's done with freespeechme.
Well, a patched Firefox only works with Firefox traffic. FreeSpeechMe is a proxy server, so it can work with pretty much any TCP traffic. Also, maintaining a Firefox fork is a massive amount of work -- ask Mike Perry from the Tor Project.
cryptosile wrote:Here is my video on the subject:

https://www.youtube.com/watch?v=Sex_IrydnCI
For some reason that video isn't working well on my machine (probably something on my end)... I'll see if I can get it to load later and get back to you on that.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

Post Reply