Re: [cryptography] First public DNSChain server went online yesterday!
DNSChain 0.0.1 was just released and published to NPM! You can now use NPM to install it on servers. :-) https://npmjs.org/package/dnschain Next up: response signing (and more!). Cheers! Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. signature.asc Description: Message signed with OpenPGP using GPGMail ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] First public DNSChain server went online yesterday!
I just want to be clear on my understanding here. This provides a way to register a .dns or .bit domain, and store your registration of that domain in a blockchain. Then, to guarantee authenticity, you can store a fingerprint of an SSL cert in the blockchain, so that anyone can verify that the person who registered this domain also created this cert. Some questions, though the first two may just be about Namecoin: * If you lose your wallet for your name, is the domain forever and truly inert? * Can you transfer your domain to someone else? * How do you prevent an attacker from intercepting and modifying your connection to the blockchain itself? What's the security model there? I also have a non-trivial suggestion, which is to use JavaScript instead of CoffeeScript. Regardless of the merits of the language, it will discourage participation from Node/JavaScript developers who do not use/know CoffeeScript well (like myself). Overall I'm **super** excited about Namecoin and DNSChain, and I've been waiting for someone to connect them through traditional DNS. This is such valuable work, thank you for being a pioneer on this. -- Eric On Sat, Feb 8, 2014 at 12:53 AM, Greg g...@kinostudios.com wrote: From README.md on GitHub: DNSChain (formerly DNSNMC) makes it possible to be certain that you're communicating with who you want to communicate with, and connecting to the sites that you want to connect to, *without anyone secretly listening in on your conversations in between.* * DNSChain stops the NSA by fixing HTTPS * Free SSL certificates * How to use DNSChain *right now*! * Don't want to change your DNS settings? * The '.dns' meta-TLD * How to run your own DNSChain server * Requirements * Getting Started for devs and sys admins * List of public DNSChain servers * Contributing * Style and Process * TODO * Release History * License https://github.com/okTurtles/dnschain Previous thread was: Re: [cryptography] DNSNMC replaces Certificate Authorities with Namecoin and fixes HTTPS security Cheers, Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- konklone.com | @konklone https://twitter.com/konklone ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] First public DNSChain server went online yesterday!
1: Domains expire unless renewed. 2: Transfers are possible. 3: The security model of blockchain based systems like Namecoin is that the primary chain had the greatest amount of proof-of-work behind it, and you can't fake the proof-of-work. You can try to isolate a node and provide a fake chain, but the moment the client sees the current main chain it will see it has more proof-of-work behind it and dismiss the previous shorter chain. - Sent from my phone Den 8 feb 2014 22:19 skrev Eric Mill e...@konklone.com: I just want to be clear on my understanding here. This provides a way to register a .dns or .bit domain, and store your registration of that domain in a blockchain. Then, to guarantee authenticity, you can store a fingerprint of an SSL cert in the blockchain, so that anyone can verify that the person who registered this domain also created this cert. Some questions, though the first two may just be about Namecoin: * If you lose your wallet for your name, is the domain forever and truly inert? * Can you transfer your domain to someone else? * How do you prevent an attacker from intercepting and modifying your connection to the blockchain itself? What's the security model there? I also have a non-trivial suggestion, which is to use JavaScript instead of CoffeeScript. Regardless of the merits of the language, it will discourage participation from Node/JavaScript developers who do not use/know CoffeeScript well (like myself). Overall I'm **super** excited about Namecoin and DNSChain, and I've been waiting for someone to connect them through traditional DNS. This is such valuable work, thank you for being a pioneer on this. -- Eric On Sat, Feb 8, 2014 at 12:53 AM, Greg g...@kinostudios.com wrote: From README.md on GitHub: DNSChain (formerly DNSNMC) makes it possible to be certain that you're communicating with who you want to communicate with, and connecting to the sites that you want to connect to, *without anyone secretly listening in on your conversations in between.* • DNSChain stops the NSA by fixing HTTPS • Free SSL certificates • How to use DNSChain *right now*! • Don't want to change your DNS settings? • The '.dns' meta-TLD • How to run your own DNSChain server • Requirements • Getting Started for devs and sys admins • List of public DNSChain servers • Contributing • Style and Process • TODO • Release History • License https://github.com/okTurtles/dnschain Previous thread was: Re: [cryptography] DNSNMC replaces Certificate Authorities with Namecoin and fixes HTTPS security Cheers, Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- konklone.com | @konklone https://twitter.com/konklone ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] First public DNSChain server went online yesterday!
On Feb 8, 2014, at 3:18 PM, Eric Mill e...@konklone.com wrote: I just want to be clear on my understanding here. This provides a way to register a .dns or .bit domain, and store your registration of that domain in a blockchain. Not quite. 1) *.dns is a meta-TLD. You cannot register meta-TLDs. You own them already. There is therefore no need to register them. There might exist other terms for this concept, but I wasn't aware of them. 2). *.bit is a regular TLD. You an register them, but at the moment DNSChain has nothing to do with registering them. That is done with namecoind. In the future, it will probably be possible to register .bit domains through DNSChain, and do other blockchain updates as well. Some questions, though the first two may just be about Namecoin: I think Eric did a good job of answering your 3 questions here. I also have a non-trivial suggestion, which is to use JavaScript instead of CoffeeScript. Regardless of the merits of the language, it will discourage participation from Node/JavaScript developers who do not use/know CoffeeScript well (like myself). Eric, trust me on this (I know, who the heck am I?), but really, if you know JavaScript well, learning CoffeeScript might take you about one day, and you will never look back. :-) Cheers, Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. signature.asc Description: Message signed with OpenPGP using GPGMail ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] First public DNSChain server went online yesterday!
Overall I'm **super** excited about Namecoin and DNSChain, and I've been waiting for someone to connect them through traditional DNS. This is such valuable work, thank you for being a pioneer on this. Thanks, btw, for your kind words, they are really appreciated. I get a lot of flack sometimes (for some reason, maybe my personality and way of communicating; a character flaw), and a bone thrown my way every now and then helps. :-) Cheers, Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. signature.asc Description: Message signed with OpenPGP using GPGMail ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] First public DNSChain server went online yesterday!
On Feb 8, 2014, at 4:20 PM, Greg g...@kinostudios.com wrote: Some questions, though the first two may just be about Namecoin: I think Eric did a good job of answering your 3 questions here. Sorry Natanael, I mean you did a good job of answering his questions. Brainfart. -g -- Please do not email me anything that you are not comfortable also sharing with the NSA. signature.asc Description: Message signed with OpenPGP using GPGMail ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] First public DNSChain server went online yesterday!
Not quite. 1) *.dns is a meta-TLD. You cannot register meta-TLDs. You own them already. There is therefore no need to register them. There might exist other terms for this concept, but I wasn't aware of them. Okay, the explanation you updated helps: https://github.com/okTurtles/dnschain#the-dns-meta-tld I also have a non-trivial suggestion, which is to use JavaScript instead of CoffeeScript. Regardless of the merits of the language, it will discourage participation from Node/JavaScript developers who do not use/know CoffeeScript well (like myself). Eric, trust me on this (I know, who the heck am I?), but really, if you know JavaScript well, learning CoffeeScript might take you about one day, and you will never look back. :-) I've been doing JavaScript (and Ruby and Python and lots of other languages) for a long time, and while CoffeeScript has some good justifications and has been successful enough, I'm confident in my own assessment. That said, my suggestion is made purely as a practical matter - CoffeeScript requires people to understand two languages, JavaScript one. For this reason, even if I preferred HAML http://haml.info/ for templates (which I did, once), I would only use it for a project that only I was developing. For a team or public project, I'd get fewer people who can just jump right in, so I would stick with straight HTML and an ERB/EJS-type templating system. -- Eric Cheers, Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. -- konklone.com | @konklone https://twitter.com/konklone ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] First public DNSChain server went online yesterday!
On Feb 8, 2014, at 5:52 PM, Eric Mill e...@konklone.com wrote: This isn't what I mean - what if someone is MITMing all your connections to the blockchain, so you're being presented with all fake chains, and never have a chance to see the real one? In other words, how is the connection to the blockchain itself secured? Some DNSSEC equivalent? At the moment, I don't believe that bitcoin (and therefore namecoin), offer new nodes any protection from such an attack. Simply being a new node is in itself a defense. If you're small fry and nobody knows about your node, why would they bother? On the other hand, if someone is out to get you, they can definitely give you a fake version of reality with IP-based attacks and traffic redirection/manipulation. This is true for all networks, and might be an inherent property of the idea of a network. So, the first step to mitigate such a Matrix-like attack, is to stumble upon a trustworthy node. In the movie The Matrix, Neo is actually rescued from his reality-bubble. Speaking of which, what's going on in North Korea right now btw? ;-) Once you've found a trust-worthy node, live becomes a bit simpler. At that point, cryptographic signatures will protect you from lies, but they won't protect you from censorship on a network that you do not own. You can also use your time with your friendly to grab a copy of the real blockchain from them (but how do the two of you know that you're not *both* being held in a reality bubble?!? :-P). That is a problem that cannot be tackled by software (as far as I know). Other attacks of interest: https://en.bitcoin.it/wiki/Weaknesses Cheers, Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. On Feb 8, 2014, at 5:52 PM, Eric Mill e...@konklone.com wrote: On Sat, Feb 8, 2014 at 4:38 PM, Natanael natanae...@gmail.com wrote: 1: Domains expire unless renewed. I did not understand that about Namecoin at all, that is A+. 3: The security model of blockchain based systems like Namecoin is that the primary chain had the greatest amount of proof-of-work behind it, and you can't fake the proof-of-work. You can try to isolate a node and provide a fake chain, but the moment the client sees the current main chain it will see it has more proof-of-work behind it and dismiss the previous shorter chain. This isn't what I mean - what if someone is MITMing all your connections to the blockchain, so you're being presented with all fake chains, and never have a chance to see the real one? In other words, how is the connection to the blockchain itself secured? Some DNSSEC equivalent? -- Eric - Sent from my phone Den 8 feb 2014 22:19 skrev Eric Mill e...@konklone.com: I just want to be clear on my understanding here. This provides a way to register a .dns or .bit domain, and store your registration of that domain in a blockchain. Then, to guarantee authenticity, you can store a fingerprint of an SSL cert in the blockchain, so that anyone can verify that the person who registered this domain also created this cert. Some questions, though the first two may just be about Namecoin: * If you lose your wallet for your name, is the domain forever and truly inert? * Can you transfer your domain to someone else? * How do you prevent an attacker from intercepting and modifying your connection to the blockchain itself? What's the security model there? I also have a non-trivial suggestion, which is to use JavaScript instead of CoffeeScript. Regardless of the merits of the language, it will discourage participation from Node/JavaScript developers who do not use/know CoffeeScript well (like myself). Overall I'm **super** excited about Namecoin and DNSChain, and I've been waiting for someone to connect them through traditional DNS. This is such valuable work, thank you for being a pioneer on this. -- Eric On Sat, Feb 8, 2014 at 12:53 AM, Greg g...@kinostudios.com wrote: From README.md on GitHub: DNSChain (formerly DNSNMC) makes it possible to be certain that you're communicating with who you want to communicate with, and connecting to the sites that you want to connect to, without anyone secretly listening in on your conversations in between. • DNSChain stops the NSA by fixing HTTPS • Free SSL certificates • How to use DNSChain *right now*! • Don't want to change your DNS settings? • The '.dns' meta-TLD • How to run your own DNSChain server • Requirements • Getting Started for devs and sys admins • List of public DNSChain servers • Contributing • Style and Process • TODO • Release History • License https://github.com/okTurtles/dnschain Previous thread was: Re: [cryptography] DNSNMC replaces Certificate Authorities with Namecoin and fixes HTTPS security
Re: [cryptography] First public DNSChain server went online yesterday!
One more thought: Let's take the case where you already have a portion of the blockchain downloaded. Let's say that at time A you had a complete copy of it. At time B A, the NSA decides to not like you and encloses your DNSChain server in a Matrix (I bet they'll even use that term). Bitcoin itself already has some signature checking for transactions and blocks. The NSA won't be able to convince your server that your friend id/jon is someone else. His records can only be modified by himself, because he holds the private key with which he signs his transactions. They would only be able to censor new information, and feed you false data about things that didn't exist after time B. So, in this way, new nodes are protected by obscurity, and old nodes are protected by a good memory. ;-) Censorship is a problem that DNSChain doesn't tackle directly. It tackles authentication. Cheers, Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. On Feb 8, 2014, at 7:20 PM, Greg g...@kinostudios.com wrote: On Feb 8, 2014, at 5:52 PM, Eric Mill e...@konklone.com wrote: This isn't what I mean - what if someone is MITMing all your connections to the blockchain, so you're being presented with all fake chains, and never have a chance to see the real one? In other words, how is the connection to the blockchain itself secured? Some DNSSEC equivalent? At the moment, I don't believe that bitcoin (and therefore namecoin), offer new nodes any protection from such an attack. Simply being a new node is in itself a defense. If you're small fry and nobody knows about your node, why would they bother? On the other hand, if someone is out to get you, they can definitely give you a fake version of reality with IP-based attacks and traffic redirection/manipulation. This is true for all networks, and might be an inherent property of the idea of a network. So, the first step to mitigate such a Matrix-like attack, is to stumble upon a trustworthy node. In the movie The Matrix, Neo is actually rescued from his reality-bubble. Speaking of which, what's going on in North Korea right now btw? ;-) Once you've found a trust-worthy node, live becomes a bit simpler. At that point, cryptographic signatures will protect you from lies, but they won't protect you from censorship on a network that you do not own. You can also use your time with your friendly to grab a copy of the real blockchain from them (but how do the two of you know that you're not *both* being held in a reality bubble?!? :-P). That is a problem that cannot be tackled by software (as far as I know). Other attacks of interest: https://en.bitcoin.it/wiki/Weaknesses Cheers, Greg signature.asc Description: Message signed with OpenPGP using GPGMail ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography