Peer-to-Peer DNS Resolution and TLS Authentication that Newbies Can Use

wallbroadSecurity

Dec 3, 2013 (3 years and 8 months ago)

76 views

Peer
-
to
-
Peer DNS Resolution and TLS Authentication that Newbies Can Use
Jeremy
Rand
Problems Being Addressed

DNS hijacking is a serious threat.

TLS Certificate Authorities are
increasingly being compromised.

DNS is being used by authoritarian
regimes for censorship and surveillance.
DNSSEC Is Not a Solution

DNSSEC attempts to make all DNS data
signed.

With DNSSEC, anyone controlling a top
-
level domain has the ability to hijack
DNS and TLS.

This includes governments like Iran.

Does nothing to counter
censorship/surveillance.
Perspective Verification Is Not a Solution

Perspective Verification checks with
trusted third
-
parties to see if they see
the same certificates.

This only has strong security when the
user knows of many competent, trusted
organizations who cannot have their
own connections compromised.
(Insufficient.)

Does nothing to counter
censorship/surveillance.
Onion Routing (By Itself) Is Not a Solution

Onion Routing uses layered encryption
to hide traffic origin and destination
from network observers.

DNS can still be hijacked by an exit relay.

TLS certificates can still be forged if a
certificate authority has been
compromised.

Does counter censorship/surveillance.
Namecoin

Uses a
Nakamoto
blockchain
(same data
structure as
Bitcoin
) to store name/value
pairs.

Can only be hijacked or censored by a
malicious majority of computing power
on the network.

Merged mining with
Bitcoin
makes this
attack extremely expensive, as users are
awarded
Bitcoin
currency for protecting
the
Namecoin
network.

Effectively counters surveillance for
users reading name/value pairs.

First proposed application was a secure
peer
-
to
-
peer DNS system (mapping
domain names to IP addresses).

Also proposed embedding TLS
fingerprints for domains in
blockchain
.
Problems with
Namecoin

Public DNS servers are easy to use but
offer no security advantage over
standard DNS.

Using the
Namecoin
daemon with a local
DNS server or SOCKS proxy is possible
(and secure) but difficult to set up.
(My
grandmother needs to be able to use it.)

No working implementations at all for
TLS certificate verification.
Our Solution

Moxie Marlinspike has developed
Convergence, a
Javascript
-
based HTTPS
proxy (packaged as a Firefox extension)
with the ability to verify TLS certificates
via “notary servers” instead of
Certificate Authorities.

We have repurposed Convergence to
verify TLS certificates for
Namecoin
domains against the
Namecoin
blockchain
(code currently on
GitHub
).

We have also modified Convergence to
resolve
Namecoin
domains to IPv4
addresses (code currently on
GitHub
).

This allows secure browsing of
Namecoin
domains with TLS authentication (no
Certificate Authorities) and no leakage
of DNS requests, in an easy
-
to
-
install
package.
Drawbacks

Websites must support
Namecoin
by
registering a name/value pair in the
blockchain
. (Very cheap right now, but
not as user
-
friendly as we would like.)

Domain squatting is an issue right now
due to overly cheap name/value pairs.
(The
Namecoin
developers are working
on a fix.)

If you lose your private keys, you lose
your domain. (Inherent to a secure
design.)

Only Firefox is supported right now. (It
might be possible to allow other apps to
connect through the Firefox
-
executed
proxy.)

Dependencies: two pieces of
Namecoin
software (
namecoind
and
nmcontrol
)
must be pre
-
installed. (It might be
possible to bundle these apps with the
Firefox extension.)

Proxy support for non
-
HTTPS sites is
broken. (Probably fixable in the future.)

Cannot be used with Tor due to broken
proxy support. (See previous.)

Subdomains are broken right now. (Easy
to fix; in progress now.)

IPv4 only right now (IPv6, Onion, I2P, and
Freenet
support are in development.)

Blockchain
data is not cached within
Firefox, so
Namecoin
-
enabled pages load
slightly slower. (Probably fixable in the
future.)
Alice
Website
DNS
Can redirect to
fraudulent website,
block website, and/or
log the request.
(Images courtesy Windows,
kyo
-
tux)
The Problem
Registering a
Namecoin
domain
(courtesy
snailbrain
)
Setting up Firefox for
Namecoin
TLS Verification
An HTTPS
Namecoin
-
enabled website
verified against the
blockchain
.
Acknowledgements

Moxie Marlinspike for Convergence

itsnotlupus
for adding TLS to the
Namecoin
DNS specification

khal
for
nmcontrol

vinced
and
khal
for
namecoind

snailbrain
for
Namecoin
-
Qt

This work was funded by
phelix
and the
Namecoin
Marketing and Development
Fund.
Contacting Me

https://veclabs.wordpress.com/
Get the Code

https://github.com/JeremyRand/
Convergence/
Namecoin
Website

http://www.dot
-
bit.org/