Author Topic: How to access .p2p sites? Is there easier ways?  (Read 3602 times)

0 Members and 1 Guest are viewing this topic.

Offline puppies

  • Hero Member
  • *****
  • Posts: 1659
    • View Profile
  • BitShares: puppies
Couldn't you just allow self signed certificates as long as they are signed with the same key that owns the domain?
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline Thom

I know Derrick implemented a firefox plugin to surf .bit domains registered thru the namecoin blockchain, but I don't think that's very convenient to most users either.

Interesting. Is there somewhere I could find out more about this? Does it modify the behavior of SSL certificate verification?

Google .bit namecoin meowbit
Injustice anywhere is a threat to justice everywhere - MLK |  Verbaltech2 Witness Reports: https://bitsharestalk.org/index.php/topic,23902.0.html

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BitShares: arhag
  • GitHub: arhag
I know Derrick implemented a firefox plugin to surf .bit domains registered thru the namecoin blockchain, but I don't think that's very convenient to most users either.

Interesting. Is there somewhere I could find out more about this? Does it modify the behavior of SSL certificate verification?

Even then, it's not the greatest solution. I would want to be able to use Chrome as well. Better yet, any browser should ideally work without any plugins.

On a Windows system, what about a new network protocol layer? If it were just another layer in the tcp/ip stack the name could be resolved by either DNS as it is now OR thru a btsDNS service.

The problem isn't resolving a domain name to an IP address. We can do that easily. The problem is protecting against man-in-the-middle attacks (which is the biggest advantage of using blockchain technology for domain names). You have to assume that any connection to a server will be hijacked (even when you have the correct IP address). The way to protect against this is by the browser warning the user if there is an authentication problem with the server's certificate sent over the end-to-end encrypted connection. If there is an authentication problem, that means there could be an adversary positioned in between the connection between the browser and server trying to listen in on (and even modify) the data passing through the connection, or alternatively the entity on the other end is the adversary itself. Furthermore, you really want to rely on the browsers built in mechanism of SSL certificate validation to provide the protection against these attacks because they have nice user interfaces built to warn the user if this is happening and also the browser won't bother loading the page at all if this happens (this is especially important when you realize that the NSA has used this technique to deliver a malicious web page that exploited a vulnerability in Firefox just by loading the page). This is why I think a local HTTP proxy is necessary that dynamically rewrites the SSL certificate to be signed by a local trusted root certificate (the only one installed on the computer).

Offline Thom

I know Derrick implemented a firefox plugin to surf .bit domains registered thru the namecoin blockchain, but I don't think that's very convenient to most users either.

On a Windows system, what about a new network protocol layer? If it were just another layer in the tcp/ip stack the name could be resolved by either DNS as it is now OR thru a btsDNS service.
Injustice anywhere is a threat to justice everywhere - MLK |  Verbaltech2 Witness Reports: https://bitsharestalk.org/index.php/topic,23902.0.html

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BitShares: arhag
  • GitHub: arhag
I've read what I can find about DNSChain and okTurtles, and it does not appear to be a proper solution for secured website access without man-in-the-middle attacks [1]. What am I missing? I still haven't seen a response for what the proposed plan is to actually provide secure access to .p2p websites using regular browsers (although I have made a suggestion on how it can be done with HTTP proxies that do man-in-the-middle dynamic SSL rewriting).

[1] With the dnscrypt-proxy daemon running on the local machine (apparently that means it doesn't work on mobile devices?) you can get a secure connection to the DNSChain server that you trust (ideally it would be running locally if possible). But that just gives you an IP address. It does not appear to provide SSL certificate validation in anyway. The okTurtles extension doesn't do anything to help with this either. It is just a mechanism that makes encrypted/authenticated messaging easier in web browsers (you could achieve the same thing less conveniently, but far more securely, in a separate program and just copy/paste text between the two). Besides, if you depend on Javascript to secure your connection you have already lost (a man-in-the-middle will feed nefarious Javascript code into the page to intentionally screw with okTurtles). The page needs to be secured at the SSL certificate level. The .dns meta-TLD and RESTful API is a clever way of letting the website access public data in the blockchain to get information related to KeyID for example, but you should remember that it ultimately requires trusting the server operator (meaning don't type sensitive plain-text data into the web page at all, and don't ever expose private keys through any API to the web page).
« Last Edit: October 01, 2014, 05:31:42 pm by arhag »

Offline toast

  • Moderator
  • Hero Member
  • *****
  • Posts: 4001
    • View Profile
  • BitShares: nikolai
The best so far is a one-time install of keyID setting your dns servers.

Sent from my SCH-I535 using Tapatalk

Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.

Offline roadscape

Anyone could set up a 'clearnet' domain. So WHATEVER.p2p could also be accessed through WHATEVER.btsdns.com.
http://cryptofresh.com  |  witness: roadscape

Offline clayop

  • Hero Member
  • *****
  • Posts: 2033
    • View Profile
    • Bitshares Korea
  • BitShares: clayop
As Bitshares wiki states,

"You can view pages on the .p2p namespace without any installation or configuration by using a centralized proxy like [1]. To use .p2p like a normal TLD, you need to configure your browser to point to a DNSchain node, or install a browser extension like okTurtles."

http://wiki.bitshares.org/index.php/.p2p_(BitShares_DNS)#How_do_I_view_.p2p_websites.3F

users have to do something to surf .p2p sites. But it would be a tough job for lay people like my mom and dad. Is there more comfortable way to access .p2p sites for normal users?
Bitshares Korea - http://www.bitshares.kr
Vote for me and see Korean Bitshares community grows
delegate-clayop