Discuss mailing list

[Al Beano <albino AT autistici.org>]

Resending because I don't think it worked properly first time:

Hi all,

I've done some digging around the WebExtension API, and I cannot find any way 
to resolve OpenNIC names in-browser, including the use of HTTPS.

There are two possible solutions:

1. create an extension which does not allow for HTTPS. Although there is no 
CA currently widely in operation on OpenNIC, aditaa is working on one and 
there is hope that things could change. Advertising an extension which 
doesn't support HTTPS would be conceding defeat. 

2. create an extension which does allow for HTTPS, through the use of a proxy 
server which we control. This is not ideal either, but I think it is the 
better of the two options: users of OpenNIC are already placing trust in the 
operators of T1 and T2 servers to answer queries honestly, so if the same 
people were operating the proxy server(s), the 'attack vector' for OpenNIC 
would remain much the same. This would also mean that the proxy server 
operators could choose which CAs to trust — as long as we only trust 
genuinely trustworthy CAs this would be a good thing because users wouldn't 
see a scary 'Untrusted certificate!' message and use of HTTPS would be a 
seamless experience. 

The only other potential issue with option 2 is that it could result in high 
resource usage, but if a few people contribute small VPSes with ~50mbps 
network I don't think there would be any problem. 

I'm interested to hear your opinions on this. Is a proxy server acceptable?

Obviously, I'd rather have the plugin support HTTPS 'properly' and if anyone 
knows how we might be able to so please let me know!

albino