((In a separate email since my first on Convergence was long)) Now on DNSChain itself.
The authors like to put down other methods that are attempting to secure the communications to major websites we use today using .com domains, ensuring that when we want to talk to Facebook, Google, Wikimedia, Mozilla, EFF, or "that guy over in the corner who can't afford a certificate from a CA's website" we know we're talking to the website instead of having to rely on the broken CA system. So how does DNSChain secure your communication to a .com site without relying on CA certificates? Simple, it doesn't. When visiting .bit sites using DNSChain it looks up the DNS in Namecoin using Namecoin's standard for the DNS of .bit domains, which includes the fingerprints of the site for TLS. So on https://*.bit/ you "can" get a fairly nice secure connection (assuming you're not being phished and also either running a dnschain daemon on your local mahine or running dnscrypt-proxy on your local machine and connecting to a server running dnschain you can trust 100%). When visiting the rest of the web... Well it just proxies whatever normal public dns you tell it to, ;) which defaults to 8.8.8.8 without supporting the fallback 8.8.4.4. Their answer to using the rest of the web is to install the okTurtles plugin into your browser and encrypt communication PGP style. This of course assumes that both you and the other party have setup an id/* for yourself in namecoin presumably through okTurtles and are both using DNSChain+okTurtles, relies on hardcoded per-site hacks to figure out who you're talking to (or has you manually enter their namecoin/okTurtles id), of course will probably bypass any WYSIWYG editor or feature the site has (otherwise the site could intercept the communication you're encrypting), and the site you're connecting to it hasn't secured isn't tricking it into selecting the wrong namecoin user. As for on the current web making sure you're sending your password to the right person, no one is intercepting your credit card details, who you're talking to isn't being tracked by anyone but the site itself, etc... well okTurtles just leaves that up to the same certificate authorities they don't trust. Of course before we go try and setup wikipedia.bit (whoopsie, looks like someone already swiped it) we'll probably want to support a .onion domain. ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/] On 2014-04-29, 10:41 PM, James Salsman wrote: > Would someone please review this DNS proposal for secure HTTPS? > > https://github.com/okTurtles/dnschain > http://okturtles.com/other/dnschain_okturtles_overview.pdf > http://okturtles.com/ > > It is new but it appears to be the most correct secure DNS solution for > HTTPS security at present. Thank you. > > Best regards, > James Salsman > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
