Bountysource claim: TLS validation of server cert for .bit

Post Reply
biolizard89
Posts: 1974
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Bountysource claim: TLS validation of server cert for .bit

Post by biolizard89 » Sun Mar 04, 2018 11:31 am

I've just filed a claim for the Bountysource bounty "TLS validation of server cert for .bit": https://www.bountysource.com/issues/263 ... rt-for-bit

If any community members believe that the claim doesn't satisfy the bounty terms, please let us know. The bounty will be paid out on March 18, 2018 if no one raises a dispute.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

virus_net
Posts: 82
Joined: Tue Aug 22, 2017 1:22 pm
os: bsd
Location: Moscow, Russia
Contact:

Re: Bountysource claim: TLS validation of server cert for .bit

Post by virus_net » Mon Mar 05, 2018 8:37 am

If I understand right it is about viewtopic.php?f=5&t=1137
I read all availiable info but still don`t have full understanding how this mehanism must work.

Is anywhere more detailed info ?
bitname.ru:
- whois service for .bit: whois.bitname.ru or whois.bitname.bit
- dns servers for .bit: dns1.bitname.ru dns2.bitname.ru or dns1.bitname.bit dns2.bitname.bit
- bit domains statistics
github

biolizard89
Posts: 1974
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: Bountysource claim: TLS validation of server cert for .bit

Post by biolizard89 » Tue Mar 06, 2018 9:17 pm

virus_net wrote:
Mon Mar 05, 2018 8:37 am
If I understand right it is about viewtopic.php?f=5&t=1137
I read all availiable info but still don`t have full understanding how this mehanism must work.

Is anywhere more detailed info ?
Some instructions for setting up a TLS cert for a domain are at https://www.namecoin.org/docs/name-owners/tls/ , and there are a lot of articles at https://www.namecoin.org/news/ about how it works under the hood (grep for "How we’re doing TLS for Chromium" to see one of the more interesting articles).

Let me know if you need any additional info that isn't at either of those links, and I'll try to find the info for you. :)
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

virus_net
Posts: 82
Joined: Tue Aug 22, 2017 1:22 pm
os: bsd
Location: Moscow, Russia
Contact:

Re: Bountysource claim: TLS validation of server cert for .bit

Post by virus_net » Wed Mar 07, 2018 6:45 am

Thanks.

docs/name-owners/tls I read before, but this is info only for end user.
It will be nice to put there a link to How we’re doing TLS for Chromium news. It`s more interesting for those who want to understand how it works.
Also there are no info about HPKP header:
The HTTP header syntax is 'Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubdomains][; report-uri="reportURI"]'.
This is first time I heard about HPKP. This is strange for me because not so long time ago I was writing CA + RA for SSL with web-interface and I use google a lot to find more info about SSL.
From that time SSL, for me, SSL looks like a BIG crutch, because of many many problems that it have. After I was finished with CA + RA project my brain was completely out and my opinion that SSL is BIG BIG crutch only became stronger.
It`s like a IPv6. Everywhere everyone told you to move to IPv6 but IPv6 still have many security holes in it and don`t have full support on many of the hardware. Many of people know about it, but noone do something with it.

I search a little about HPKP and saw news that Google want to delete HPKP support from Chrome at may 2018 (when Chrome 67 come or a little bit later) and it`s still not supported in many browsers.
bitname.ru:
- whois service for .bit: whois.bitname.ru or whois.bitname.bit
- dns servers for .bit: dns1.bitname.ru dns2.bitname.ru or dns1.bitname.bit dns2.bitname.bit
- bit domains statistics
github

biolizard89
Posts: 1974
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: Bountysource claim: TLS validation of server cert for .bit

Post by biolizard89 » Wed Mar 07, 2018 2:44 pm

virus_net wrote:
Wed Mar 07, 2018 6:45 am
docs/name-owners/tls I read before, but this is info only for end user.
It will be nice to put there a link to How we’re doing TLS for Chromium news. It`s more interesting for those who want to understand how it works.
That's a good point, we probably should make those news articles a bit more prominently linked.
virus_net wrote:
Wed Mar 07, 2018 6:45 am
Also there are no info about HPKP header:
The HTTP header syntax is 'Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubdomains][; report-uri="reportURI"]'.
This is first time I heard about HPKP.
If you're curious, the code we use to add the HPKP pin to Chromium is at https://github.com/namecoin/ncdns/blob/ ... ol/main.go (it uses the library at https://github.com/namecoin/ncdns/blob/ ... hromium.go ).
virus_net wrote:
Wed Mar 07, 2018 6:45 am
I search a little about HPKP and saw news that Google want to delete HPKP support from Chrome at may 2018 (when Chrome 67 come or a little bit later) and it`s still not supported in many browsers.
Yes, that's correct. Last I checked, Firefox is considering deprecating HPKP as well. I think there are some other things we can do to achieve similar effects as HPKP (for our purposes, at least) once Chromium removes HPKP. On CryptoAPI, it looks like Enterprise Certificate Pinning might be a good option; on NSS, it looks like name constraints might be a good option. ECP and name constraints both have the advantage of not being tied to a particular browser. It'll take some significant work to actually add that functionality though.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

virus_net
Posts: 82
Joined: Tue Aug 22, 2017 1:22 pm
os: bsd
Location: Moscow, Russia
Contact:

Re: Bountysource claim: TLS validation of server cert for .bit

Post by virus_net » Thu Mar 08, 2018 4:58 am

Thanks for the info. Ofc I`am curious :)
bitname.ru:
- whois service for .bit: whois.bitname.ru or whois.bitname.bit
- dns servers for .bit: dns1.bitname.ru dns2.bitname.ru or dns1.bitname.bit dns2.bitname.bit
- bit domains statistics
github

biolizard89
Posts: 1974
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: Bountysource claim: TLS validation of server cert for .bit

Post by biolizard89 » Tue Mar 20, 2018 10:44 am

Bounty awarded. However, since NMDF covered this work, I donated the Bountysource bounty back to the Namecoin Bountysource account.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

Post Reply