[3 BTC Bounty] TLS Support for .bit Domains

[namecoiner]

Keep on developing this wonderful project.
It has future.
We should make some fund raising also.

[biolizard89]

NMCSocks has some partial support for TLS, but there are no binaries, and as far as I can tell no one was able to make it build. It's discontinued, so it's doubtful that that code will be fixed/finished.

I am pledging a 1 BTC bounty to the first developer to implement the TLS feature of the .bit 2.0 spec. Requirements (all must be met for the bounty to be awarded):

1. TLS support implemented as described in the .bit 2.0 spec.
2. Source code (under open source license) with build instructions. (Someone must be able to verify that the source code is buildable.)
3. Windows binary. (Obviously Linux/OSX binaries would be awesome, but not a requirement.)
4. Instructions for making it work with Firefox on Windows.
5. I must be able to run the software for 1 week without crashes or other unexpected behavior.
6. Must be posted on this forum.

I think the centralization of the standard TLS infrastructure is a danger to the security of the Internet, and I think that .bit won't catch on if sites can't use TLS. Implementing TLS for .bit in a user-friendly way would help solve both issues.

If unclaimed, this bounty will expire at 11:59PM UTC, March 31, 2013.

(Warning for candidates: the latest binaries of NMCSocks crash periodically on Windows [at least for me], so if you use that code as your base, you'll need to make sure that it can meet requirement 5 above.)

If clarifications are needed about what I'm requesting, just ask. (This is the first bounty I've offered, so if I've made an oversight, please point it out and I'll correct.)

Thanks!

EDIT: total pledges:

1 BTC - biolizard89
1 BTC - phelix
1 BTC - Namecoin Marketing and Development Fund
Two two-letter .bit domains ( https://bitcointalk.org/index.php?topic=66212 ) - phelix

EDIT 2: All pledges extended to July 31, 2013.

Hey everyone,

As of now, I am claiming the bounty. Source code is at https://github.com/JeremyRand/Convergence/tree/namecoin ; an XPI installer is at http://veclabs.fuzziqersoftware.com/fil ... _06_11.xpi . You'll need Firefox, nmcontrol, and namecoind; see the documentation at GitHub.

This wasn't particularly easy for me, as I'm not fluent in Firefox extensions, but I'm pretty good at Google-fu. Hopefully this generates some interest for Namecoin.

@phelix and everyone else interested -- can you test this out? I'd like to see some test reports. And, assuming this is tested and works as I think it does, how should we go about awarding the bounty? Do I just post a Bitcoin address on the forum? Never done this before....

Thanks!

[phelix]

NMCSocks has some partial support for TLS, but there are no binaries, and as far as I can tell no one was able to make it build. It's discontinued, so it's doubtful that that code will be fixed/finished.

I am pledging a 1 BTC bounty to the first developer to implement the TLS feature of the .bit 2.0 spec. Requirements (all must be met for the bounty to be awarded):

1. TLS support implemented as described in the .bit 2.0 spec.
2. Source code (under open source license) with build instructions. (Someone must be able to verify that the source code is buildable.)
3. Windows binary. (Obviously Linux/OSX binaries would be awesome, but not a requirement.)
4. Instructions for making it work with Firefox on Windows.
5. I must be able to run the software for 1 week without crashes or other unexpected behavior.
6. Must be posted on this forum.

I think the centralization of the standard TLS infrastructure is a danger to the security of the Internet, and I think that .bit won't catch on if sites can't use TLS. Implementing TLS for .bit in a user-friendly way would help solve both issues.

If unclaimed, this bounty will expire at 11:59PM UTC, March 31, 2013.

(Warning for candidates: the latest binaries of NMCSocks crash periodically on Windows [at least for me], so if you use that code as your base, you'll need to make sure that it can meet requirement 5 above.)

If clarifications are needed about what I'm requesting, just ask. (This is the first bounty I've offered, so if I've made an oversight, please point it out and I'll correct.)

Thanks!

EDIT: total pledges:

1 BTC - biolizard89
1 BTC - phelix
1 BTC - Namecoin Marketing and Development Fund
Two two-letter .bit domains ( https://bitcointalk.org/index.php?topic=66212 ) - phelix

EDIT 2: All pledges extended to July 31, 2013.

Hey everyone,

As of now, I am claiming the bounty. Source code is at https://github.com/JeremyRand/Convergence/tree/namecoin ; an XPI installer is at http://veclabs.fuzziqersoftware.com/fil ... _06_11.xpi . You'll need Firefox, nmcontrol, and namecoind; see the documentation at GitHub.

This wasn't particularly easy for me, as I'm not fluent in Firefox extensions, but I'm pretty good at Google-fu. Hopefully this generates some interest for Namecoin.

@phelix and everyone else interested -- can you test this out? I'd like to see some test reports. And, assuming this is tested and works as I think it does, how should we go about awarding the bounty? Do I just post a Bitcoin address on the forum? Never done this before....

Thanks!

Woohaa. Sounds great. Give me (and others) a couple of days to take a look. In the meantime you might want to choose your domains from here: https://bitcointalk.org/index.php?topic=66212

It's preferable to pm me your Bitcoin address otherwise all the world can follow your coins to some extent (and mine).

[moa]

Another huge win for namecoin ... 2 in 2 days.

[khal]

I've tested it with a patched nmcontrol (to avoid updating the blockchain for now) and it works !

With the help of biolizard89, we have discovered that the support of SNI (several certificates on 1 ip) is currently broken in the Convergence plugin.
But it is really really promising

Good work biolizard89

[phelix]

I'm on it.

nmcontrol gave me some trouble but everything is fine now. Will post about it where in the nmcontrol thread. I wonder why I have not wrapped my head around nmcontrol before.

While I think it is good to go for nmcontrol, is there a reason besides caching you are going through it and not rpcing into namecoind directly?

Everything looks very good but I would like to have a domain set up and running before I pay the bounties. Can somebody point me to how to create a fingerprint and how to set it up with apache / nginx/tornado ?

[khal]

I'm on it.

nmcontrol gave me some trouble but everything is fine now. Will post about it where in the nmcontrol thread. I wonder why I have not wrapped my head around nmcontrol before.

Feedback wanted :p

While I think it is good to go for nmcontrol, is there a reason besides caching you are going through it and not rpcing into namecoind directly?

For performance reason :p. But, it may not be justificated (I planned to enable namecoin to be shut down and launched each XX hours then export all domains to a file. Not sure how loaded file is managed, all domains loaded into nmcontrol or for each rpc call ? I don't remember. It may have a real reason :p).

Everything looks very good but I would like to have a domain set up and running before I pay the bounties. Can somebody point me to how to create a fingerprint and how to set it up with apache / nginx/tornado ?

Search for self signed certificates, you should find what you want.

Here are my notes on how to get the fingerprint :

Info: http://baruch.siach.name/blog/posts/sha ... _ssl_cert/
Info: http://devsec.org/info/ssl-cert.html


Method 1 :
apt-get install gnutls-bin
gnutls-cli -p 443 dot-bit.bit


Method 2:

First get the raw certificate:

echo Q |openssl s_client -connect mail.example.com:443

Copy the lines from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- to a file, say cert.pem, and generate the SHA1 fingerprint using:

If you already have the certificate :
openssl x509 -in cert.pem -sha1 -noout -fingerprint

[biolizard89]

I used NMControl because I was hoping to use its domain lookup features to make it easier to support subdomains etc. I later found out that that feature in NMControl is incompletely implemented, so I don't try to parse subdomain fingerprints (probably not hard to do from Javascript, but this is proof of concept). Anyway, I didn't want to redo the RPC code to use namecoind, so I left it on nmcontrol. Caching isn't a big deal because Convergence can cache stuff on its own anyway, but nmcontrol's caching allows us to cache .bit fingerprints while not caching non-Namecoine site fingerprints, so it's a small bonus. Aside from that, interacting with namecoind would require entering the RPC password into Convergence, whereas nmcontrol handles this for us.

You can generate a cert using this command line: http://redmine.lighttpd.net/projects/1/ ... rtificates . Then use the command that khal provided to get its fingerprint.

I used lighttpd for testing; info on installing a cert into it is at http://redmine.lighttpd.net/projects/1/ ... SL#Details .

Also, khal and I noticed that the fingerprint has to be uppercase in your Namecoin record.

[khal]

Also, khal and I noticed that the fingerprint has to be uppercase in your Namecoin record.

I've submitted a patch to allow lowercase fingerprints too : https://github.com/khalahan/Convergence/commits/master

[biolizard89]

Also, khal and I noticed that the fingerprint has to be uppercase in your Namecoin record.

I've submitted a patch to allow lowercase fingerprints too : https://github.com/khalahan/Convergence/commits/master

Cool, nice work.