[3 BTC Bounty] TLS Support for .bit Domains
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: [3 BTC Bounty] TLS Support for .bit Domains
Pushed some new code; now resolution errors will be displayed to the user (including failure to connect to nmcontrol). This should make configuration errors more obvious to newbies.
Re: [3 BTC Bounty] TLS Support for .bit Domains
http://security.stackexchange.com/quest ... em-for-ssl
"what-alternatives-are-there-to-the-existing-certificate-authority-system-for-ssl"
Security stack exchange. Given recent revelations about NSA/GCHQ illegal spying and hacking we can assume many CA's are compromised.
"what-alternatives-are-there-to-the-existing-certificate-authority-system-for-ssl"
Security stack exchange. Given recent revelations about NSA/GCHQ illegal spying and hacking we can assume many CA's are compromised.
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: [3 BTC Bounty] TLS Support for .bit Domains
Indeed... when I saw the leaks about HTTPS being compromised a few days ago, my first reaction was "Apparently I'm an oracle, as are the other people who contributed to the development of Convergence for Namecoin." Kind of cool to be working on something that (it seems) is immune to this shit. Maybe this will be good for my job security down the road....moa wrote:http://security.stackexchange.com/quest ... em-for-ssl
"what-alternatives-are-there-to-the-existing-certificate-authority-system-for-ssl"
Security stack exchange. Given recent revelations about NSA/GCHQ illegal spying and hacking we can assume many CA's are compromised.
But yeah, the stuff the NSA is doing is thoroughly appalling (though not entirely surprising). Obama (and his subordinates at the NSA) should be impeached and imprisoned for this (I realize that this is unlikely to happen).
Would I need a StackExchange user account to reply at that link? I don't have a StackExchange account....
Re: [3 BTC Bounty] TLS Support for .bit Domains
You will need a stackexchange account. You won't believe this but my post got deleted by moderators!!!biolizard89 wrote:Indeed... when I saw the leaks about HTTPS being compromised a few days ago, my first reaction was "Apparently I'm an oracle, as are the other people who contributed to the development of Convergence for Namecoin." Kind of cool to be working on something that (it seems) is immune to this shit. Maybe this will be good for my job security down the road....moa wrote:http://security.stackexchange.com/quest ... em-for-ssl
"what-alternatives-are-there-to-the-existing-certificate-authority-system-for-ssl"
Security stack exchange. Given recent revelations about NSA/GCHQ illegal spying and hacking we can assume many CA's are compromised.
But yeah, the stuff the NSA is doing is thoroughly appalling (though not entirely surprising). Obama (and his subordinates at the NSA) should be impeached and imprisoned for this (I realize that this is unlikely to happen).
Would I need a StackExchange user account to reply at that link? I don't have a StackExchange account....
So there must be some kind of clique operating that place that is not open to outside solutions it smells like to me. If you do get an account you can vote to undelete the answer I think.We don't welcome spam or self promotion in answers here – Rory Alsop yesterday
Re: [3 BTC Bounty] TLS Support for .bit Domains
Tried my luck on stackexchange (with a comment).
Would be possible to run this with a remote NMControl server?
I am considering setting up a small NMDF bounty for a lightweight Firefox plugin simply querying a DNS server for beginners. Would it make sense to derive this from the TLS plugin? One advantage might be that it would be relatively easy to upgrade security/privacy by adding NMControl/namecoind.
Would be possible to run this with a remote NMControl server?
I am considering setting up a small NMDF bounty for a lightweight Firefox plugin simply querying a DNS server for beginners. Would it make sense to derive this from the TLS plugin? One advantage might be that it would be relatively easy to upgrade security/privacy by adding NMControl/namecoind.
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: [3 BTC Bounty] TLS Support for .bit Domains
Yes, that should be possible to modify Convergence for Namecoin to handle. I was already planning to do that at some point, but it's a pretty low priority right now... a bounty would probably change that.phelix wrote:Tried my luck on stackexchange (with a comment).
Would be possible to run this with a remote NMControl server?
I am considering setting up a small NMDF bounty for a lightweight Firefox plugin simply querying a DNS server for beginners. Would it make sense to derive this from the TLS plugin? One advantage might be that it would be relatively easy to upgrade security/privacy by adding NMControl/namecoind.
However, keep in mind that authenticating the NMControl server isn't possible, so if someone MITMs your connection to a remote NMControl server, you're pretty much screwed (including TLS). I was mainly interested in this feature in case a user has a second PC (or VM) on their LAN which stores the blockchain, in which case MITMs aren't a major concern. Going onto the open Internet and expecting NMControl to return unmodified data is pretty risky; I wouldn't recommend it for most users. (Obviously this isn't any worse than using a DNS server that's not on your local network... but not having to do that is one of the draws of Namecoin.)
One other thing... would your bounty require a certain OS? Windows is broken on Firefox 22+ because of an upstream Convergence bug, which I reported yesterday. Not sure how long it will take to get a fix from the upstream devs.
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: [3 BTC Bounty] TLS Support for .bit Domains
Just wanted to mention, for anyone who was on the IRC last night and heard about an alleged DNS leak bug in Convergence for Namecoin, I have investigated and determined that it was a problem in the website being visited, not a problem in my code. (The website in question was issuing an HTTP 301 redirect to a nonexistent domain whenever a .bit request was sent.)
Re: [3 BTC Bounty] TLS Support for .bit Domains
That remote NMControl or that DNS server querying?biolizard89 wrote:Yes, that should be possible to modify Convergence for Namecoin to handle. I was already planning to do that at some point, but it's a pretty low priority right now... a bounty would probably change that.phelix wrote:Tried my luck on stackexchange (with a comment).
Would be possible to run this with a remote NMControl server?
I am considering setting up a small NMDF bounty for a lightweight Firefox plugin simply querying a DNS server for beginners. Would it make sense to derive this from the TLS plugin? One advantage might be that it would be relatively easy to upgrade security/privacy by adding NMControl/namecoind.
It would be for beginners. If they could upgrade security step by step it would be optimal.However, keep in mind that authenticating the NMControl server isn't possible, so if someone MITMs your connection to a remote NMControl server, you're pretty much screwed (including TLS). I was mainly interested in this feature in case a user has a second PC (or VM) on their LAN which stores the blockchain, in which case MITMs aren't a major concern. Going onto the open Internet and expecting NMControl to return unmodified data is pretty risky; I wouldn't recommend it for most users. (Obviously this isn't any worse than using a DNS server that's not on your local network... but not having to do that is one of the draws of Namecoin.)
BTW: I am hoping for a light client that for a dns request is checking a name_op and couple of the following block headers for inherent security. Some time in the future...
Of course it would be nice if it would work on windows/linux/mac....One other thing... would your bounty require a certain OS? Windows is broken on Firefox 22+ because of an upstream Convergence bug, which I reported yesterday. Not sure how long it will take to get a fix from the upstream devs.
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: [3 BTC Bounty] TLS Support for .bit Domains
Sorry, was low on sleep when writing that post. It should be easy to make Convergence use a remote NMControl instance. This would be lightweight. Making Convergence directly contact a DNS server rather than using the NMControl RPC protocol is probably much harder, but is there any benefit from doing so? Either method is equally lightweight.phelix wrote:That remote NMControl or that DNS server querying?biolizard89 wrote:Yes, that should be possible to modify Convergence for Namecoin to handle. I was already planning to do that at some point, but it's a pretty low priority right now... a bounty would probably change that.phelix wrote:Tried my luck on stackexchange (with a comment).
Would be possible to run this with a remote NMControl server?
I am considering setting up a small NMDF bounty for a lightweight Firefox plugin simply querying a DNS server for beginners. Would it make sense to derive this from the TLS plugin? One advantage might be that it would be relatively easy to upgrade security/privacy by adding NMControl/namecoind.
I'm looking at bundling nmcontrol and namecoind with Convergence, and offering users the choice between the bundled daemons, daemons already installed on the system, and remote daemons (obviously this option is less secure). Does this meet your goal of upgrading security step by step?phelix wrote:It would be for beginners. If they could upgrade security step by step it would be optimal.However, keep in mind that authenticating the NMControl server isn't possible, so if someone MITMs your connection to a remote NMControl server, you're pretty much screwed (including TLS). I was mainly interested in this feature in case a user has a second PC (or VM) on their LAN which stores the blockchain, in which case MITMs aren't a major concern. Going onto the open Internet and expecting NMControl to return unmodified data is pretty risky; I wouldn't recommend it for most users. (Obviously this isn't any worse than using a DNS server that's not on your local network... but not having to do that is one of the draws of Namecoin.)
Can't help you there, sorry. Would be cool though.phelix wrote:BTW: I am hoping for a light client that for a dns request is checking a name_op and couple of the following block headers for inherent security. Some time in the future...
The Convergence upstream devs are looking at the bug with Windows and are guessing that it should be easy to fix (but that's not confirmed until they fix it). I don't have access to a Mac, so I can't easily test on it... but all my code should be relatively OS-neutral other than the Convergence issue. If I bundle namecoind, I would need to use a different binary for each OS... but that shouldn't be a huge problem.phelix wrote:Of course it would be nice if it would work on windows/linux/mac....One other thing... would your bounty require a certain OS? Windows is broken on Firefox 22+ because of an upstream Convergence bug, which I reported yesterday. Not sure how long it will take to get a fix from the upstream devs.
Re: [3 BTC Bounty] TLS Support for .bit Domains
Hmm the difference is that there are no NMControl servers out there yet. But there might be quite some benefit to it, other lightweight Namecoin applications would be possible.biolizard89 wrote:It should be easy to make Convergence use a remote NMControl instance. This would be lightweight. Making Convergence directly contact a DNS server rather than using the NMControl RPC protocol is probably much harder, but is there any benefit from doing so? Either method is equally lightweight.phelix wrote: remote NMContro / DNS server querying?
I might set one up in combination with the file signature stuff but it will take some time...