[3 BTC Bounty] TLS Support for .bit Domains

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: [3 BTC Bounty] TLS Support for .bit Domains

Post by biolizard89 »

Pushed some new code; now resolution errors will be displayed to the user (including failure to connect to nmcontrol). This should make configuration errors more obvious to newbies.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

moa
Posts: 255
Joined: Mon May 23, 2011 6:13 am

Re: [3 BTC Bounty] TLS Support for .bit Domains

Post by moa »

http://security.stackexchange.com/quest ... em-for-ssl

"what-alternatives-are-there-to-the-existing-certificate-authority-system-for-ssl"

Security stack exchange. Given recent revelations about NSA/GCHQ illegal spying and hacking we can assume many CA's are compromised.

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: [3 BTC Bounty] TLS Support for .bit Domains

Post by biolizard89 »

moa wrote:http://security.stackexchange.com/quest ... em-for-ssl

"what-alternatives-are-there-to-the-existing-certificate-authority-system-for-ssl"

Security stack exchange. Given recent revelations about NSA/GCHQ illegal spying and hacking we can assume many CA's are compromised.
Indeed... when I saw the leaks about HTTPS being compromised a few days ago, my first reaction was "Apparently I'm an oracle, as are the other people who contributed to the development of Convergence for Namecoin." Kind of cool to be working on something that (it seems) is immune to this shit. Maybe this will be good for my job security down the road....

But yeah, the stuff the NSA is doing is thoroughly appalling (though not entirely surprising). Obama (and his subordinates at the NSA) should be impeached and imprisoned for this (I realize that this is unlikely to happen).

Would I need a StackExchange user account to reply at that link? I don't have a StackExchange account....
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

moa
Posts: 255
Joined: Mon May 23, 2011 6:13 am

Re: [3 BTC Bounty] TLS Support for .bit Domains

Post by moa »

biolizard89 wrote:
moa wrote:http://security.stackexchange.com/quest ... em-for-ssl

"what-alternatives-are-there-to-the-existing-certificate-authority-system-for-ssl"

Security stack exchange. Given recent revelations about NSA/GCHQ illegal spying and hacking we can assume many CA's are compromised.
Indeed... when I saw the leaks about HTTPS being compromised a few days ago, my first reaction was "Apparently I'm an oracle, as are the other people who contributed to the development of Convergence for Namecoin." Kind of cool to be working on something that (it seems) is immune to this shit. Maybe this will be good for my job security down the road....

But yeah, the stuff the NSA is doing is thoroughly appalling (though not entirely surprising). Obama (and his subordinates at the NSA) should be impeached and imprisoned for this (I realize that this is unlikely to happen).

Would I need a StackExchange user account to reply at that link? I don't have a StackExchange account....
You will need a stackexchange account. You won't believe this but my post got deleted by moderators!!!
We don't welcome spam or self promotion in answers here – Rory Alsop yesterday
So there must be some kind of clique operating that place that is not open to outside solutions it smells like to me. If you do get an account you can vote to undelete the answer I think.

phelix
Posts: 1634
Joined: Thu Aug 18, 2011 6:59 am

Re: [3 BTC Bounty] TLS Support for .bit Domains

Post by phelix »

Tried my luck on stackexchange (with a comment).

Would be possible to run this with a remote NMControl server?

I am considering setting up a small NMDF bounty for a lightweight Firefox plugin simply querying a DNS server for beginners. Would it make sense to derive this from the TLS plugin? One advantage might be that it would be relatively easy to upgrade security/privacy by adding NMControl/namecoind.
nx.bit - some namecoin stats
nf.bit - shortcut to this forum

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: [3 BTC Bounty] TLS Support for .bit Domains

Post by biolizard89 »

phelix wrote:Tried my luck on stackexchange (with a comment).

Would be possible to run this with a remote NMControl server?

I am considering setting up a small NMDF bounty for a lightweight Firefox plugin simply querying a DNS server for beginners. Would it make sense to derive this from the TLS plugin? One advantage might be that it would be relatively easy to upgrade security/privacy by adding NMControl/namecoind.
Yes, that should be possible to modify Convergence for Namecoin to handle. I was already planning to do that at some point, but it's a pretty low priority right now... a bounty would probably change that.

However, keep in mind that authenticating the NMControl server isn't possible, so if someone MITMs your connection to a remote NMControl server, you're pretty much screwed (including TLS). I was mainly interested in this feature in case a user has a second PC (or VM) on their LAN which stores the blockchain, in which case MITMs aren't a major concern. Going onto the open Internet and expecting NMControl to return unmodified data is pretty risky; I wouldn't recommend it for most users. (Obviously this isn't any worse than using a DNS server that's not on your local network... but not having to do that is one of the draws of Namecoin.)

One other thing... would your bounty require a certain OS? Windows is broken on Firefox 22+ because of an upstream Convergence bug, which I reported yesterday. Not sure how long it will take to get a fix from the upstream devs.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: [3 BTC Bounty] TLS Support for .bit Domains

Post by biolizard89 »

Just wanted to mention, for anyone who was on the IRC last night and heard about an alleged DNS leak bug in Convergence for Namecoin, I have investigated and determined that it was a problem in the website being visited, not a problem in my code. (The website in question was issuing an HTTP 301 redirect to a nonexistent domain whenever a .bit request was sent.)
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

phelix
Posts: 1634
Joined: Thu Aug 18, 2011 6:59 am

Re: [3 BTC Bounty] TLS Support for .bit Domains

Post by phelix »

biolizard89 wrote:
phelix wrote:Tried my luck on stackexchange (with a comment).

Would be possible to run this with a remote NMControl server?

I am considering setting up a small NMDF bounty for a lightweight Firefox plugin simply querying a DNS server for beginners. Would it make sense to derive this from the TLS plugin? One advantage might be that it would be relatively easy to upgrade security/privacy by adding NMControl/namecoind.
Yes, that should be possible to modify Convergence for Namecoin to handle. I was already planning to do that at some point, but it's a pretty low priority right now... a bounty would probably change that.
That remote NMControl or that DNS server querying? :?:
However, keep in mind that authenticating the NMControl server isn't possible, so if someone MITMs your connection to a remote NMControl server, you're pretty much screwed (including TLS). I was mainly interested in this feature in case a user has a second PC (or VM) on their LAN which stores the blockchain, in which case MITMs aren't a major concern. Going onto the open Internet and expecting NMControl to return unmodified data is pretty risky; I wouldn't recommend it for most users. (Obviously this isn't any worse than using a DNS server that's not on your local network... but not having to do that is one of the draws of Namecoin.)
It would be for beginners. If they could upgrade security step by step it would be optimal.

BTW: I am hoping for a light client that for a dns request is checking a name_op and couple of the following block headers for inherent security. Some time in the future... :)
One other thing... would your bounty require a certain OS? Windows is broken on Firefox 22+ because of an upstream Convergence bug, which I reported yesterday. Not sure how long it will take to get a fix from the upstream devs.
Of course it would be nice if it would work on windows/linux/mac....
nx.bit - some namecoin stats
nf.bit - shortcut to this forum

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: [3 BTC Bounty] TLS Support for .bit Domains

Post by biolizard89 »

phelix wrote:
biolizard89 wrote:
phelix wrote:Tried my luck on stackexchange (with a comment).

Would be possible to run this with a remote NMControl server?

I am considering setting up a small NMDF bounty for a lightweight Firefox plugin simply querying a DNS server for beginners. Would it make sense to derive this from the TLS plugin? One advantage might be that it would be relatively easy to upgrade security/privacy by adding NMControl/namecoind.
Yes, that should be possible to modify Convergence for Namecoin to handle. I was already planning to do that at some point, but it's a pretty low priority right now... a bounty would probably change that.
That remote NMControl or that DNS server querying? :?:
Sorry, was low on sleep when writing that post. It should be easy to make Convergence use a remote NMControl instance. This would be lightweight. Making Convergence directly contact a DNS server rather than using the NMControl RPC protocol is probably much harder, but is there any benefit from doing so? Either method is equally lightweight.
phelix wrote:
However, keep in mind that authenticating the NMControl server isn't possible, so if someone MITMs your connection to a remote NMControl server, you're pretty much screwed (including TLS). I was mainly interested in this feature in case a user has a second PC (or VM) on their LAN which stores the blockchain, in which case MITMs aren't a major concern. Going onto the open Internet and expecting NMControl to return unmodified data is pretty risky; I wouldn't recommend it for most users. (Obviously this isn't any worse than using a DNS server that's not on your local network... but not having to do that is one of the draws of Namecoin.)
It would be for beginners. If they could upgrade security step by step it would be optimal.
I'm looking at bundling nmcontrol and namecoind with Convergence, and offering users the choice between the bundled daemons, daemons already installed on the system, and remote daemons (obviously this option is less secure). Does this meet your goal of upgrading security step by step?
phelix wrote:BTW: I am hoping for a light client that for a dns request is checking a name_op and couple of the following block headers for inherent security. Some time in the future... :)
Can't help you there, sorry. Would be cool though.
phelix wrote:
One other thing... would your bounty require a certain OS? Windows is broken on Firefox 22+ because of an upstream Convergence bug, which I reported yesterday. Not sure how long it will take to get a fix from the upstream devs.
Of course it would be nice if it would work on windows/linux/mac....
The Convergence upstream devs are looking at the bug with Windows and are guessing that it should be easy to fix (but that's not confirmed until they fix it). I don't have access to a Mac, so I can't easily test on it... but all my code should be relatively OS-neutral other than the Convergence issue. If I bundle namecoind, I would need to use a different binary for each OS... but that shouldn't be a huge problem.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

phelix
Posts: 1634
Joined: Thu Aug 18, 2011 6:59 am

Re: [3 BTC Bounty] TLS Support for .bit Domains

Post by phelix »

biolizard89 wrote:
phelix wrote: remote NMContro / DNS server querying? :?:
It should be easy to make Convergence use a remote NMControl instance. This would be lightweight. Making Convergence directly contact a DNS server rather than using the NMControl RPC protocol is probably much harder, but is there any benefit from doing so? Either method is equally lightweight.
Hmm the difference is that there are no NMControl servers out there yet. But there might be quite some benefit to it, other lightweight Namecoin applications would be possible.

I might set one up in combination with the file signature stuff but it will take some time...
nx.bit - some namecoin stats
nf.bit - shortcut to this forum

Post Reply