NMControl-Hyperion

Namecoin, NMControl
phelix
Posts: 1634
Joined: Thu Aug 18, 2011 6:59 am

Re: NMControl-Hyperion

Post by phelix »

biolizard89 wrote:
domob wrote:
biolizard89 wrote:
phelix wrote:Is it possible that your namecoind was not synced all the way at the beginning and then catched up? The elpais.bit name currently does not have an IP address in the value. It did some time ago, though.
Would be nice if Namecoin Core would refuse to answer name_show queries if the blockchain is incomplete. I've gotten a number of support requests about that in the past year. See https://github.com/namecoin/namecoin/issues/124 .
Should be easy to do. Mind opening a ticket against namecore? I'm travelling right now, but probably can fix this later in the week.
I would love to, except https://github.com/namecoin/namecore doesn't have the issue tracker enabled. :) @phelix, can you enable it?
Done. I also removed several unused wikis on our github repos.
nx.bit - some namecoin stats
nf.bit - shortcut to this forum

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: NMControl-Hyperion

Post by biolizard89 »

Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

phelix
Posts: 1634
Joined: Thu Aug 18, 2011 6:59 am

Re: NMControl-Hyperion

Post by phelix »

2015-03-17
* It now uses the new experimental API server https://api.namecoin.org by default. This means it works without a Namecoin client running locally. Note that we could track your requests and IP address.
* Installer can now configure your system to automatically start NMControl on startup


Obviously asking the API server for name data is not very secure and private in comparison to running a local full node.
nx.bit - some namecoin stats
nf.bit - shortcut to this forum

johnc
Posts: 89
Joined: Sun Dec 28, 2014 10:03 am

Re: NMControl-Hyperion

Post by johnc »

After doing this

Code: Select all

C:\Users\user>nslookup feens.bit
Server:  UnKnown
Address:  127.0.0.1

Name:    feens.bit
Address:  192.185.225.13


C:\Users\user>nslookup terra.es
Server:  UnKnown
Address:  127.0.0.1

Name:    terra.es
Addresses:  2604:600:0:aaaa:208:84:244:10
          208.84.244.10


C:\Users\user>nslookup yahoo.com
Server:  UnKnown
Address:  127.0.0.1

Name:    yahoo.com
Addresses:  206.190.36.45
          98.138.253.109
          98.139.183.24


C:\Users\user>nslookup yahoo.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  127.0.0.1

DNS request timed out.
    timeout was 2 seconds.
Is this normal?



I tried the last release on w7 and still it stops resolving dns at random times, i'm starting to think maybe one of the trackers that utorrent queries gives back bad dns info. Or there may be problems when the connection is dropping packets.

Code: Select all

Lookup: {'query': '', 'domain': 'bter.com', 'src_addr': ('127.0.0.1', 53301), 'qtype': 1, 'qclass': 1}
Fetching IP Address for:  bter.com with NS Server: 8.8.8.8
* result:  [{'name': 'bter.com', 'data': '141.101.121.208', 'typename': 'A', 'classstr': 'IN', 'ttl': 16, 'type': 1, 'class': 1, 'rdlength': 4}]
Lookup: {'query': '', 'domain': 'bter.com', 'src_addr': ('127.0.0.1', 63316), 'qtype': 1, 'qclass': 1}
Fetching IP Address for:  bter.com with NS Server: 8.8.8.8
* result:  [{'name': 'bter.com', 'data': 'bter.com.cdn.cloudflare.net', 'typename': 'CNAME', 'classstr': 'IN', 'ttl': 300, 'type': 5, 'class': 1, 'rdlength': 29}, {'name': 'bter.com.cdn.cloudflare.net', 'data': '141.101.121.208', 'typename': 'A', 'classstr': 'IN', 'ttl': 300, 'type': 1, 'class': 1, 'rdlength': 4}, {'name': 'bter.com.cdn.cloudflare.net', 'data': '141.101.121.207', 'typename': 'A', 'classstr': 'IN', 'ttl': 300, 'type': 1, 'class': 1, 'rdlength': 4}]
Lookup: {'query': '', 'domain': 'tracker.openbittorrent.com', 'src_addr': ('127.0.0.1', 53738), 'qtype': 1, 'qclass': 1}
Fetching IP Address for:  tracker.openbittorrent.com with NS Server: 8.8.8.8
Lookup: {'query': '', 'domain': 'tracker.openbittorrent.com', 'src_addr': ('127.0.0.1', 53738), 'qtype': 1, 'qclass': 1}
Fetching IP Address for:  tracker.openbittorrent.com with NS Server: 8.8.8.8
Lookup: {'query': '', 'domain': 'tracker.openbittorrent.com', 'src_addr': ('127.0.0.1', 53738), 'qtype': 1, 'qclass': 1}
Fetching IP Address for:  tracker.openbittorrent.com with NS Server: 8.8.8.8
Lookup: {'query': '', 'domain': 'tracker.openbittorrent.com', 'src_addr': ('127.0.0.1', 53738), 'qtype': 1, 'qclass': 1}
Fetching IP Address for:  tracker.openbittorrent.com with NS Server: 8.8.8.8
Last edited by johnc on Fri Apr 17, 2015 4:02 pm, edited 1 time in total.

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: NMControl-Hyperion

Post by biolizard89 »

phelix wrote:2015-03-17
* It now uses the new experimental API server https://api.namecoin.org by default. This means it works without a Namecoin client running locally. Note that we could track your requests and IP address.
* Installer can now configure your system to automatically start NMControl on startup


Obviously asking the API server for name data is not very secure and private in comparison to running a local full node.
I would strongly oppose automatically using the API server unless the user has explicitly opted in.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

phelix
Posts: 1634
Joined: Thu Aug 18, 2011 6:59 am

Re: NMControl-Hyperion

Post by phelix »

biolizard89 wrote:
phelix wrote:2015-03-17
* It now uses the new experimental API server https://api.namecoin.org by default. This means it works without a Namecoin client running locally. Note that we could track your requests and IP address.
* Installer can now configure your system to automatically start NMControl on startup


Obviously asking the API server for name data is not very secure and private in comparison to running a local full node.
I would strongly oppose automatically using the API server unless the user has explicitly opted in.
A smooth user experience is important imho, e.g. it would be bad if things would not work because the user did not check a box. What about a confirmation of the warning in the installer or a warning page in the browser before the first server access (the second option would also work without the installer)?
nx.bit - some namecoin stats
nf.bit - shortcut to this forum

ryanc
Posts: 147
Joined: Wed Dec 18, 2013 8:10 pm
os: linux

Re: NMControl-Hyperion

Post by ryanc »

If there's SSL support, it should be disabled if using the API server. An *active* confirmation should be obtained before using the API server, and clicking "okay" does not count. Either make them type something in a box to confirm, or provide instructions for where to go in the UI. Make it clear that in addition to logging access, the server could spoof results arbitrarily.

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: NMControl-Hyperion

Post by biolizard89 »

ryanc wrote:If there's SSL support, it should be disabled if using the API server. An *active* confirmation should be obtained before using the API server, and clicking "okay" does not count. Either make them type something in a box to confirm, or provide instructions for where to go in the UI. Make it clear that in addition to logging access, the server could spoof results arbitrarily.
+1. It is much worse for someone to get an API server's security properties when they didn't expect it, than for things to not load at all when they didn't expect it.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

phelix
Posts: 1634
Joined: Thu Aug 18, 2011 6:59 am

Re: NMControl-Hyperion

Post by phelix »

ryanc wrote:If there's SSL support, it should be disabled if using the API server.
why?
biolizard89 wrote:
ryanc wrote:If there's SSL support, it should be disabled if using the API server. An *active* confirmation should be obtained before using the API server, and clicking "okay" does not count. Either make them type something in a box to confirm, or provide instructions for where to go in the UI. Make it clear that in addition to logging access, the server could spoof results arbitrarily.
+1. It is much worse for someone to get an API server's security properties when they didn't expect it, than for things to not load at all when they didn't expect it.
In my eyes you are too paranoid here. What about the DNS servers we advertise? https://wiki.namecoin.info/index.php?ti ... it_domains

If somebody just want's to try things your concerns are not relevant. For privacy you have to download the blockchain (or we have to enable tor in NMControl - btw I tried it already and it was easy, at least without requests).
nx.bit - some namecoin stats
nf.bit - shortcut to this forum

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: NMControl-Hyperion

Post by biolizard89 »

Who is "we"? I've never seen that wiki page before. https://bit.namecoin.org is, as far as I know, more official than a wiki page, and it currently lists NMControl and FreeSpeechMe (with a side note at the end that you can use 3rd party DNS, and it discusses the security implications). The disclosure of security properties on the wiki page you linked is near-nonexistent, and it would be irresponsible of us to endorse that wiki page as it currently is written.

Bottom line, we can't make assumptions about what our users need in terms of security. In the absence of evidence to the contrary, we should operate under the assumption that our users are not downloading Namecoin solely to "try things", whatever that means; they are downloading Namecoin to use it for browsing websites (some of which may have sensitive content and/or metadata), quite possibly because they've heard that Namecoin has better security/privacy than standard DNS. It is standard practice in the security community to force users to affirmatively demonstrate consent before the software does something unsafe.

(As an aside, we need to clean up the wiki content, for that and other reasons, but I'll save that for another thread.)

On a completely different note, I'm a little bit concerned that features in Hyperion aren't being submitted as PR's to NMControl upstream. That will happen, right?

Cheers.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

Post Reply