Right now, the 2.0 .bit spec allows fingerprints to be specified for SSL/TLS connections, but offers no way to specify that HTTP clients should enforce HTTPS-only connections. As a result, tools like sslstrip can still MITM the websites if the user neglects to type the "https" in the URL bar. The HTTP Strict Transport Security (HSTS) specification attempts to allow servers to specify this, but doesn't protect the initial connection where the HSTS header is sent.
Info on HSTS:
https://en.wikipedia.org/wiki/HTTP_Stri ... t_Security
I propose adding a field to the .bit spec which requires conforming HTTP clients to only make HTTPS connections to the .bit domain. I don't think the exact HSTS syntax (where it specifies a period in seconds for which the header is valid) is necessary in .bit, since the HSTS syntax is assuming that the header can't be checked each time a connection is made. (Namecoin cannot be easily MITMed, while HTTP easily can be.) So how about this syntax:
To enforce HTTPS on a domain:
To not enforce HTTPS (this would be the default):
To enforce HTTPS on a domain and all subdomains:
Code: Select all
"enforce-https": "includeSubDomains"
Other suggestions for alternative syntax would be great to hear too.
What do people think of this proposal?
Jeremy Rand, Lead Namecoin Application Engineer
NameID:
id/jeremy
DyName: Dynamic DNS update client for .bit domains.
Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5