[cryptography] First public DNSChain server went online yesterday!

Greg greg at kinostudios.com
Sat Feb 8 20:20:18 EST 2014


On Feb 8, 2014, at 5:52 PM, Eric Mill <eric at konklone.com> wrote:

> This isn't what I mean - what if someone is MITMing all your connections to the blockchain, so you're being presented with all fake chains, and never have a chance to see the real one? In other words, how is the connection to the blockchain itself secured? Some DNSSEC equivalent?


At the moment, I don't believe that bitcoin (and therefore namecoin), offer new nodes any protection from such an attack.

Simply being a new node is in itself a defense. If you're small fry and nobody knows about your node, why would they bother?

On the other hand, if someone is out to get you, they can definitely give you a fake version of reality with IP-based attacks and traffic redirection/manipulation. This is true for all networks, and might be an inherent property of the idea of a network.

So, the first step to mitigate such a "Matrix-like" attack, is to stumble upon a trustworthy node.

In the movie The Matrix, Neo is actually rescued from his reality-bubble.

Speaking of which, what's going on in North Korea right now btw? ;-)

Once you've found a trust-worthy node, live becomes a bit simpler. At that point, cryptographic signatures will protect you from lies, but they won't protect you from censorship on a network that you do not own. You can also use your time with your friendly to grab a copy of the "real" blockchain from them (but how do the two of you know that you're not *both* being held in a reality bubble?!? :-P).

That is a problem that cannot be tackled by software (as far as I know).

Other attacks of interest:

https://en.bitcoin.it/wiki/Weaknesses

Cheers,
Greg

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

On Feb 8, 2014, at 5:52 PM, Eric Mill <eric at konklone.com> wrote:

> 
> 
> 
> On Sat, Feb 8, 2014 at 4:38 PM, Natanael <natanael.l at gmail.com> wrote:
> 1: Domains expire unless renewed.
> 
> I did not understand that about Namecoin at all, that is A+.
> 3: The security model of blockchain based systems like Namecoin is that the primary chain had the greatest amount of proof-of-work behind it, and you can't fake the proof-of-work. You can try to isolate a node and provide a fake chain, but the moment the client sees the current main chain it will see it has more proof-of-work behind it and dismiss the previous shorter chain.
> 
> This isn't what I mean - what if someone is MITMing all your connections to the blockchain, so you're being presented with all fake chains, and never have a chance to see the real one? In other words, how is the connection to the blockchain itself secured? Some DNSSEC equivalent?
> 
> -- Eric
> 
> - Sent from my phone
> 
> Den 8 feb 2014 22:19 skrev "Eric Mill" <eric at konklone.com>:
> 
> I just want to be clear on my understanding here. This provides a way to register a .dns or .bit domain, and store your registration of that domain in a blockchain. 
> 
> Then, to guarantee authenticity, you can store a fingerprint of an SSL cert in the blockchain, so that anyone can verify that the person who registered this domain also created this cert.
> 
> Some questions, though the first two may just be about Namecoin:
> 
> * If you lose your "wallet" for your name, is the domain forever and truly inert?
> * Can you transfer your domain to someone else?
> * How do you prevent an attacker from intercepting and modifying your connection to the blockchain itself? What's the security model there?
> 
> I also have a non-trivial suggestion, which is to use JavaScript instead of CoffeeScript. Regardless of the merits of the language, it will discourage participation from Node/JavaScript developers who do not use/know CoffeeScript well (like myself).
> 
> Overall I'm **super** excited about Namecoin and DNSChain, and I've been waiting for someone to connect them through traditional DNS. This is such valuable work, thank you for being a pioneer on this.
> 
> -- Eric
> 
> 
> On Sat, Feb 8, 2014 at 12:53 AM, Greg <greg at kinostudios.com> wrote:
> From README.md on GitHub:
> DNSChain (formerly DNSNMC) makes it possible to be certain that you're communicating with who you want to communicate with, and connecting to the sites that you want to connect to, without anyone secretly listening in on your conversations in between.
> 
> 	• DNSChain "stops the NSA" by fixing HTTPS
> 	• Free SSL certificates
> 	• How to use DNSChain *right now*!
> 		• Don't want to change your DNS settings?
> 	• The '.dns' meta-TLD
> 	• How to run your own DNSChain server
> 		• Requirements
> 		• Getting Started for devs and sys admins
> 	• List of public DNSChain servers
> 	• Contributing
> 		• Style and Process
> 	• TODO
> 	• Release History
> 	• License
> 
> https://github.com/okTurtles/dnschain
> 
> Previous thread was:
> 
> 	Re: [cryptography] DNSNMC replaces Certificate Authorities with Namecoin and fixes HTTPS security
> 
> Cheers,
> Greg
> 
> --
> Please do not email me anything that you are not comfortable also sharing with the NSA.
> 
> 
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
> 
> 
> 
> 
> -- 
> konklone.com | @konklone
> 
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
> 
> 
> 
> 
> -- 
> konklone.com | @konklone

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20140208/b71296ce/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20140208/b71296ce/attachment.asc>


More information about the cryptography mailing list