[3 BTC Bounty] TLS Support for .bit Domains

[khal]

biolizard89, would it need a lot of work to make the convergence plugin :
- get ip from nmcontrol for a .bit name (imagine nmcontrol can give you the ip directly for a domain/sub-domain)
- intercept http .bit requests too

That way, dns requests for .bit are private and we are sure .bit requests go to the right ip (no intermediary/remote dns server).

[biolizard89]

biolizard89, would it need a lot of work to make the convergence plugin :
- get ip from nmcontrol for a .bit name (imagine nmcontrol can give you the ip directly for a domain/sub-domain)
- intercept http .bit requests too

That way, dns requests for .bit are private and we are sure .bit requests go to the right ip (no intermediary/remote dns server).

Funnily enough, that occurred to me too. I was actually looking at the Convergence source code this morning to see how easy that would be... it looks like it might be doable. I'll play around with a bit and see if I can make progress; I'll also post some notes on what I think would need changing.

[phelix]

biolizard89, would it need a lot of work to make the convergence plugin :
- get ip from nmcontrol for a .bit name (imagine nmcontrol can give you the ip directly for a domain/sub-domain)
- intercept http .bit requests too

That way, dns requests for .bit are private and we are sure .bit requests go to the right ip (no intermediary/remote dns server).

What is the advantage to changing the dns server to 127.0.0.1 = nmcontrol ?

[khal]

biolizard89, would it need a lot of work to make the convergence plugin :
- get ip from nmcontrol for a .bit name (imagine nmcontrol can give you the ip directly for a domain/sub-domain)
- intercept http .bit requests too

That way, dns requests for .bit are private and we are sure .bit requests go to the right ip (no intermediary/remote dns server).

What is the advantage to changing the dns server to 127.0.0.1 = nmcontrol ?

The DNS server need administrator privilieges (for port 53) + changing DNS configuration on the OS.

The disadvantage of Convergence is that it only works in firefox. But it is sufficient for a lot of people, and it is a good first step.

[biolizard89]

biolizard89, would it need a lot of work to make the convergence plugin :
- get ip from nmcontrol for a .bit name (imagine nmcontrol can give you the ip directly for a domain/sub-domain)
- intercept http .bit requests too

That way, dns requests for .bit are private and we are sure .bit requests go to the right ip (no intermediary/remote dns server).

Funnily enough, that occurred to me too. I was actually looking at the Convergence source code this morning to see how easy that would be... it looks like it might be doable. I'll play around with a bit and see if I can make progress; I'll also post some notes on what I think would need changing.

I have .bit DNS resolution working in Convergence for Namecoin for HTTP domains. I'll upload the code when I have a few minutes. Right now it only checks the "ip" record for the main domain (so anything using ip6/map/alias/ns/etc won't work). Also .bit DNS resolution doesn't work for HTTPS sites (probably fixable), and HTTP sites won't be able to go through a proxy (not easily fixable because Firefox is stupid and doesn't support proxy chains).

khal, any chance nmcontrol could be updated to provide the IP address of an arbitrary .bit domain?

EDIT: Here's the code: https://github.com/JeremyRand/Convergen ... resolution

[khal]

I have .bit DNS resolution working in Convergence for Namecoin for HTTP domains. I'll upload the code when I have a few minutes. Right now it only checks the "ip" record for the main domain (so anything using ip6/map/alias/ns/etc won't work).

Good

Also .bit DNS resolution doesn't work for HTTPS sites (probably fixable), and HTTP sites won't be able to go through a proxy (not easily fixable because Firefox is stupid and doesn't support proxy chains).

It's not possible to use

Code: Select all

this.connectionManager.setProxyTunnel(proxy);

before

Code: Select all

return Components.classes["@mozilla.org/network/protocol-proxy-service;1"].getService(Components.interfaces.nsIProtocolProxyService).newProxyInfo("http", ipv4, uri.port==-1 ? 80 : uri.port, 1, 0, null);

?

khal, any chance nmcontrol could be updated to provide the IP address of an arbitrary .bit domain?

It'll be there in several days (after version 0.4.0 of this : http://dot-bit.org/forum/viewtopic.php?p=4407#p4407).
What API would you see to get data from (sub-)domains ? (it should be generic to work for non .bit things too)

Proposal :

Code: Select all

./nmcontrol.py dns getIp domain.bit => return un array
./nmcontrol.py dns getIp4 domain.bit => return un array
./nmcontrol.py dns getIp6 domain.bit => return un array

(ps : I guess the "domain" plugin will disappear from help. It'll only provide internal mapping for .bit to the future "dns" plugin)

[biolizard89]

As far as I can tell, the setProxyTunnel method only applies to HTTPS traffic going through the Convergence proxy. I tried to get HTTP traffic to go through the proxy, but Convergence didn't allow it through (the Convergence proxy only supports HTTPS CONNECT, not HTTP GET). With my current code, HTTP traffic doesn't use the Convergence proxy; it goes directly to the target IP.

For the API, I'd like to see the following features:

getIp4
getIp6
getOnion
getI2p
getFreenet
getFingerprint

All of these would accept a .bit domain as an argument.

In the case of getIp4 and getIp6, I'd like to have the ability to specify in the API call whether to allow DNS leaks (similar to the --private flag in NMCSocks).

EDIT: I have HTTPS working for .bit lookups as well. Code is on my GitHub.

[phelix]

As far as I can tell, the setProxyTunnel method only applies to HTTPS traffic going through the Convergence proxy. I tried to get HTTP traffic to go through the proxy, but Convergence didn't allow it through (the Convergence proxy only supports HTTPS CONNECT, not HTTP GET). With my current code, HTTP traffic doesn't use the Convergence proxy; it goes directly to the target IP.

For the API, I'd like to see the following features:

getIp4
getIp6
getOnion
getI2p
getFreenet
getFingerprint

All of these would accept a .bit domain as an argument.

I have a feeling this is becoming big.

We have not even decided on the namespaces for Freenet and I2P, have we? I suggest fn and i2p.

In the case of getIp4 and getIp6, I'd like to have the ability to specify in the API call whether to allow DNS leaks (similar to the --private flag in NMCSocks).

EDIT: I have HTTPS working for .bit lookups as well. Code is on my GitHub.

I suggest all should take the private parameter - maybe there will be namecoind servers that feed nmcontrol in the future.


I recommend we change the fingerprint representation in the blockchain to a more compact format. At least it should be possible without colons. Or should we go further and allow base64 or something?

IMHO at least the colons should be completely removed from the namespace spec. Would it be OK if I do that?

Snailbrain is working on a cool name configuration GUI panel so we should decide on this soon.

[biolizard89]

As far as I can tell, the setProxyTunnel method only applies to HTTPS traffic going through the Convergence proxy. I tried to get HTTP traffic to go through the proxy, but Convergence didn't allow it through (the Convergence proxy only supports HTTPS CONNECT, not HTTP GET). With my current code, HTTP traffic doesn't use the Convergence proxy; it goes directly to the target IP.

For the API, I'd like to see the following features:

getIp4
getIp6
getOnion
getI2p
getFreenet
getFingerprint

All of these would accept a .bit domain as an argument.

I have a feeling this is becoming big.

We have not even decided on the namespaces for Freenet and I2P, have we? I suggest fn and i2p.

My opinion is that Onion/I2P/Freenet should still be in the d/ namespace. This is useful because it allows a domain owner to prove that they control both an IPv6 and an I2P domain, for example. WikiLeaks used an Onion domain and an IPv4 domain to point to the same server (the submission system), I think the .bit spec should allow such use cases.

The only argument I've heard against this is that it makes blacklisting certain types of records harder, e.g. a user wants to blacklist IPv4 and IPv6 but allow I2P. This can still be accomplished by having the browser plugin / SOCKS proxy have an option to only allow certain types of records (basically the same idea as blacklisting the ns record as the --private flag does in NMCSocks).

In the case of getIp4 and getIp6, I'd like to have the ability to specify in the API call whether to allow DNS leaks (similar to the --private flag in NMCSocks).

EDIT: I have HTTPS working for .bit lookups as well. Code is on my GitHub.

I suggest all should take the private parameter - maybe there will be namecoind servers that feed nmcontrol in the future.


I recommend we change the fingerprint representation in the blockchain to a more compact format. At least it should be possible without colons. Or should we go further and allow base64 or something?

IMHO at least the colons should be completely removed from the namespace spec. Would it be OK if I do that?

Snailbrain is working on a cool name configuration GUI panel so we should decide on this soon.

I like the colons because they're more readable. Also, browsers report the fingerprints with colons, so if we removed them from the blockchain, we would have to re-insert them when we compare them to the browser fingerprint. But, I suppose if nmcontrol handled this for us, it wouldn't be a big deal.

[moa]

As far as I can tell, the setProxyTunnel method only applies to HTTPS traffic going through the Convergence proxy. I tried to get HTTP traffic to go through the proxy, but Convergence didn't allow it through (the Convergence proxy only supports HTTPS CONNECT, not HTTP GET). With my current code, HTTP traffic doesn't use the Convergence proxy; it goes directly to the target IP.

For the API, I'd like to see the following features:

getIp4
getIp6
getOnion
getI2p
getFreenet
getFingerprint

All of these would accept a .bit domain as an argument.

In the case of getIp4 and getIp6, I'd like to have the ability to specify in the API call whether to allow DNS leaks (similar to the --private flag in NMCSocks).

EDIT: I have HTTPS working for .bit lookups as well. Code is on my GitHub.

\o/

checking it out now ....