I've just filed a claim for the Bountysource bounty "TLS validation of server cert for .bit": https://www.bountysource.com/issues/263 ... rt-for-bit
If any community members believe that the claim doesn't satisfy the bounty terms, please let us know. The bounty will be paid out on March 18, 2018 if no one raises a dispute.
Bountysource claim: TLS validation of server cert for .bit
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: Bountysource claim: TLS validation of server cert for .bit
If I understand right it is about viewtopic.php?f=5&t=1137
I read all availiable info but still don`t have full understanding how this mehanism must work.
Is anywhere more detailed info ?
I read all availiable info but still don`t have full understanding how this mehanism must work.
Is anywhere more detailed info ?
bitname.ru:
- whois service for .bit: whois.bitname.ru or whois.bitname.bit
- dns servers for .bit: dns1.bitname.ru dns2.bitname.ru or dns1.bitname.bit dns2.bitname.bit
- bit domains statistics
github
- whois service for .bit: whois.bitname.ru or whois.bitname.bit
- dns servers for .bit: dns1.bitname.ru dns2.bitname.ru or dns1.bitname.bit dns2.bitname.bit
- bit domains statistics
github
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: Bountysource claim: TLS validation of server cert for .bit
Some instructions for setting up a TLS cert for a domain are at https://www.namecoin.org/docs/name-owners/tls/ , and there are a lot of articles at https://www.namecoin.org/news/ about how it works under the hood (grep for "How we’re doing TLS for Chromium" to see one of the more interesting articles).virus_net wrote: ↑Mon Mar 05, 2018 8:37 amIf I understand right it is about viewtopic.php?f=5&t=1137
I read all availiable info but still don`t have full understanding how this mehanism must work.
Is anywhere more detailed info ?
Let me know if you need any additional info that isn't at either of those links, and I'll try to find the info for you.
Re: Bountysource claim: TLS validation of server cert for .bit
Thanks.
docs/name-owners/tls I read before, but this is info only for end user.
It will be nice to put there a link to How we’re doing TLS for Chromium news. It`s more interesting for those who want to understand how it works.
Also there are no info about HPKP header:
From that time SSL, for me, SSL looks like a BIG crutch, because of many many problems that it have. After I was finished with CA + RA project my brain was completely out and my opinion that SSL is BIG BIG crutch only became stronger.
It`s like a IPv6. Everywhere everyone told you to move to IPv6 but IPv6 still have many security holes in it and don`t have full support on many of the hardware. Many of people know about it, but noone do something with it.
I search a little about HPKP and saw news that Google want to delete HPKP support from Chrome at may 2018 (when Chrome 67 come or a little bit later) and it`s still not supported in many browsers.
docs/name-owners/tls I read before, but this is info only for end user.
It will be nice to put there a link to How we’re doing TLS for Chromium news. It`s more interesting for those who want to understand how it works.
Also there are no info about HPKP header:
This is first time I heard about HPKP. This is strange for me because not so long time ago I was writing CA + RA for SSL with web-interface and I use google a lot to find more info about SSL.The HTTP header syntax is 'Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubdomains][; report-uri="reportURI"]'.
From that time SSL, for me, SSL looks like a BIG crutch, because of many many problems that it have. After I was finished with CA + RA project my brain was completely out and my opinion that SSL is BIG BIG crutch only became stronger.
It`s like a IPv6. Everywhere everyone told you to move to IPv6 but IPv6 still have many security holes in it and don`t have full support on many of the hardware. Many of people know about it, but noone do something with it.
I search a little about HPKP and saw news that Google want to delete HPKP support from Chrome at may 2018 (when Chrome 67 come or a little bit later) and it`s still not supported in many browsers.
bitname.ru:
- whois service for .bit: whois.bitname.ru or whois.bitname.bit
- dns servers for .bit: dns1.bitname.ru dns2.bitname.ru or dns1.bitname.bit dns2.bitname.bit
- bit domains statistics
github
- whois service for .bit: whois.bitname.ru or whois.bitname.bit
- dns servers for .bit: dns1.bitname.ru dns2.bitname.ru or dns1.bitname.bit dns2.bitname.bit
- bit domains statistics
github
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: Bountysource claim: TLS validation of server cert for .bit
That's a good point, we probably should make those news articles a bit more prominently linked.
If you're curious, the code we use to add the HPKP pin to Chromium is at https://github.com/namecoin/ncdns/blob/ ... ol/main.go (it uses the library at https://github.com/namecoin/ncdns/blob/ ... hromium.go ).
Yes, that's correct. Last I checked, Firefox is considering deprecating HPKP as well. I think there are some other things we can do to achieve similar effects as HPKP (for our purposes, at least) once Chromium removes HPKP. On CryptoAPI, it looks like Enterprise Certificate Pinning might be a good option; on NSS, it looks like name constraints might be a good option. ECP and name constraints both have the advantage of not being tied to a particular browser. It'll take some significant work to actually add that functionality though.virus_net wrote: ↑Wed Mar 07, 2018 6:45 amI search a little about HPKP and saw news that Google want to delete HPKP support from Chrome at may 2018 (when Chrome 67 come or a little bit later) and it`s still not supported in many browsers.
Re: Bountysource claim: TLS validation of server cert for .bit
Thanks for the info. Ofc I`am curious
bitname.ru:
- whois service for .bit: whois.bitname.ru or whois.bitname.bit
- dns servers for .bit: dns1.bitname.ru dns2.bitname.ru or dns1.bitname.bit dns2.bitname.bit
- bit domains statistics
github
- whois service for .bit: whois.bitname.ru or whois.bitname.bit
- dns servers for .bit: dns1.bitname.ru dns2.bitname.ru or dns1.bitname.bit dns2.bitname.bit
- bit domains statistics
github
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: Bountysource claim: TLS validation of server cert for .bit
Bounty awarded. However, since NMDF covered this work, I donated the Bountysource bounty back to the Namecoin Bountysource account.