Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Browser extension

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Browser extension


Chronological Thread 
  • From: "Dmitry S. Nikolaev" <dn AT mega-net.ru>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] Browser extension
  • Date: Mon, 18 Sep 2017 06:50:13 +0300
  • Organization: OOO Meganet-2003

Hi.

About  option 1: I can`t say anything yet because I need to investigate by myself too.

About option 2: I can say that you right and opennic need of something like startssl.com. Own CA with web-iface to obtain SSL cert for opennic users and domains.
Proxy may be an option but we still need to think about another ways.

With best regards, Dmitry S. Nikolaev

Moscow, Russia
phone: +7 (499) 678 8007 [ext. 6003]
fax: +7 (499) 678 8007 [ext. 7777]
www: http://www.mega-net.ru
mail: dnikolaev AT mega-net.ru
SIP URI: dnikolaev AT sip.mega-net.ru || dn AT sip.mega-net.ru
On 17.09.2017 11:25, Al Beano wrote:
Hi all,

I've done some digging around the WebExtension API, and I cannot find any way to resolve OpenNIC names in-browser, including the use of HTTPS.

There are two possible solutions:

1. create an extension which does not allow for HTTPS. Although there is no CA currently widely in operation on OpenNIC, aditaa is working on one and there is hope that things could change. Advertising an extension which doesn't support HTTPS would be conceding defeat. 

2. create an extension which does allow for HTTPS, through the use of a proxy server which we control. This is not ideal either, but I think it is the better of the two options: users of OpenNIC are already placing trust in the operators of T1 and T2 servers to answer queries honestly, so if the same people were operating the proxy server(s), the 'attack vector' for OpenNIC would remain much the same. This would also mean that the proxy server operators could choose which CAs to trust — as long as we only trust genuinely trustworthy CAs this would be a good thing because users wouldn't see a scary 'Untrusted certificate!' message and use of HTTPS would be a seamless experience. 

The only other potential issue with option 2 is that it could result in high resource usage, but if a few people contribute small VPSes with ~50mbps network I don't think there would be any problem. 

I'm interested to hear your opinions on this. Is a proxy server acceptable?

Obviously, I'd rather have the plugin support HTTPS 'properly' and if anyone knows how we might be able to so please let me know!

albino



--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org




Archive powered by MHonArc 2.6.19.

Top of Page