discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: Al Beano <albino AT autistici.org>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] Browser extension
- Date: Sat, 30 Sep 2017 08:38:30 +0100
I looked at the APIs previously, and the only answer I could come up with is
"not if you want HTTPS".
See my original mail below
albino
-------- Original Message --------
From: Al Beano <albino AT autistici.org>
Sent: 17 September 2017 18:57:29 BST
To: discuss AT lists.opennicproject.org
Subject: [opennic-discuss] Browser extension
Hi all,
I've done some digging around the WebExtension API, and I cannot find any way
to resolve OpenNIC names in-browser, including the use of HTTPS.
There are two possible solutions:
1. create an extension which does not allow for HTTPS. Although there is no
CA currently widely in operation on OpenNIC, aditaa is working on one and
there is hope that things could change. Advertising an extension which
doesn't support HTTPS would be conceding defeat.
2. create an extension which does allow for HTTPS, through the use of a proxy
server which we control. This is not ideal either, but I think it is the
better of the two options: users of OpenNIC are already placing trust in the
operators of T1 and T2 servers to answer queries honestly, so if the same
people were operating the proxy server(s), the 'attack vector' for OpenNIC
would remain much the same. This would also mean that the proxy server
operators could choose which CAs to trust — as long as we only trust
genuinely trustworthy CAs this would be a good thing because users wouldn't
see a scary 'Untrusted certificate!' message and use of HTTPS would be a
seamless experience.
The only other potential issue with option 2 is that it could result in high
resource usage, but if a few people contribute small VPSes with ~50mbps
network I don't think there would be any problem.
I'm interested to hear your opinions on this. Is a proxy server acceptable?
Obviously, I'd rather have the plugin support HTTPS 'properly' and if anyone
knows how we might be able to so please let me know!
albino
--------------------------
On 30 September 2017 04:36:41 BST, Rouben <rouben AT rouben.net> wrote:
>I wonder if there's an API for Chrome (KHTML) and Firefox (Mozilla)
>engines
>to:
>
>- override DNS or proxy (less desirable) settings - this would enable
>lookups of non-OpenNIC domains normally, and OpenNIC domains through
>predetermined DNS servers, or perhaps a web API (don't know if DNS
>lookups
>are possible from within Chrome/KHTML/Firefox/Mozilla API sandbox)?
>
>- inject root CAs into the browser - again, not sure if that's doable
>at
>all with any API
>
>So the above two are requirements to do a "proper" or "native"
>implementation of OpenNIC content access. Another way to do it, would
>be to
>leverage a proxy like http://proxy.opennicproject.org/ - proxy in a
>bottle
>so to speak.
>
>Third option is to publish our own distribution of a web browser, like
>the
>Onion Browser project, but that's a bit extreme... unless perhaps we
>can
>convince the Tor project to modify their browser to use OpenNIC DNS by
>default?
>
>Rouben
>
>On Fri, Sep 29, 2017 at 9:42 PM, Dustin Souers <texnofobix AT gmail.com>
>wrote:
>
>> Yes they require valid ICANN.
>>
>> I was experimenting with modifying the Let's Encrypt Boulder server,
>but
>> OpenNIC users would have to trust a OpenNIC CA.
>>
>> On Tue, Sep 26, 2017 at 11:47 AM, Amrit Panesar <neo AT 4195tech.com>
>wrote:
>>
>>> A long, long, time ago, in a thread, far, far, away,
>>>
>>> I recall discussions about using CAcert
>>>
>>> http://www.cacert.org/
>>>
>>> but I can't recall if they require an ICANN FQDN.
>>>
>>> has anyone tried recently?
>>>
>>>
>>> On Tue, Sep 26, 2017 at 5:08 AM, Al Beano <albino AT autistici.org>
>wrote:
>>>
>>>> It's definitely a step forward, but there are a couple of issues
>that,
>>>> imo, mean we shouldn't promote it as an alternative to just
>changing your
>>>> DNS settings:
>>>>
>>>> * The resolvers are run by an unknown party and we have no idea
>whether
>>>> they are trustworthy — at least with OpenNIC T2s there is some
>level of
>>>> accountability
>>>> * HTTPS doesn't work. Even TOFU TLS is better than nothing, and
>we're
>>>> moving towards a real CA, so this is important.
>>>>
>>>> Maybe we could solve these issues, but I think new/fixed
>windows/Mac
>>>> apps would be a better idea still.
>>>>
>>>> albino
>>>>
>>>> On 26 September 2017 11:57:49 BST, Jonah Aragon
><jonah AT triplebit.net>
>>>> wrote:
>>>> >Wow nice!
>>>> >
>>>> >I’ll test that this afternoon and add it to the wiki if nobody
>else
>>>> >does.
>>>> >Anyone should be able to edit that site though.
>>>> >
>>>> >Jonah
>>>> >
>>>> >On Mon, Sep 25, 2017 at 11:53 PM Dmitry S. Nikolaev
><dn AT mega-net.ru>
>>>> >wrote:
>>>> >
>>>> >> Yes, you right.
>>>> >>
>>>> >> At this note discussion of the browser exten stopped and new
>(about
>>>> >CA)
>>>> >> started at tlsca-wg AT lists.opennicproject.org
>>>> >>
>>>> >> If we will continue to talk about browser exten than
>>>> >> https://blockchain-dns.info/ added support of OpenNIC TLDs
>already:
>>>> >>
>>>> >> >https://github.com/B-DNS/Chrome/issues/3
>>>> >>
>>>> >> and after:
>>>> >>
>>>> >> 1.0.6 (2017-09-18)
>>>> >>
>>>> >> Add support for OpenNIC TLDs
><https://wiki.opennic.org/opennic/dot>
>>>> >(.bbs
>>>> >> and others)
>>>> >>
>>>> >> But there is no info at wiki.opennic.org about it yet.
>>>> >>
>>>> >> With best regards, Dmitry S. Nikolaev
>>>> >> virus_net
>>>> >>
>>>> >> On 26.09.2017 05:16, rouben AT rouben.net wrote:
>>>> >>
>>>> >> 0. Browser extension is a brilliant idea, but SSL/TLS is an
>issue.
>>>> >>
>>>> >>
>>>> >>
>>>> >> --------
>>>> >> You are a member of the OpenNIC Discuss list.
>>>> >> You may unsubscribe by emailing
>>>> >> discuss-unsubscribe AT lists.opennicproject.org
>>>> >>
>>>> >
>>>> >
>>>> >-----------------------------------------------------------
>>>> -------------
>>>> >
>>>> >
>>>> >
>>>> >--------
>>>> >You are a member of the OpenNIC Discuss list.
>>>> >You may unsubscribe by emailing
>>>> >discuss-unsubscribe AT lists.opennicproject.org
>>>>
>>>>
>>>>
>>>>
>>>> --------
>>>> You are a member of the OpenNIC Discuss list.
>>>> You may unsubscribe by emailing discuss-unsubscribe AT lists.open
>>>> nicproject.org
>>>>
>>>>
>>>
>>>
>>> --
>>> Amrit Panesar
>>> http://amrit.be
>>>
>>>
>>>
>>> --------
>>> You are a member of the OpenNIC Discuss list.
>>> You may unsubscribe by emailing discuss-unsubscribe AT lists.open
>>> nicproject.org
>>>
>>>
>>
>>
>>
>> --------
>> You are a member of the OpenNIC Discuss list.
>> You may unsubscribe by emailing discuss-unsubscribe AT lists.open
>> nicproject.org
>>
>>
>
>
>------------------------------------------------------------------------
>
>
>
>--------
>You are a member of the OpenNIC Discuss list.
>You may unsubscribe by emailing
>discuss-unsubscribe AT lists.opennicproject.org
- Re: [opennic-discuss] Browser extension, (continued)
- Re: [opennic-discuss] Browser extension, Al Beano, 09/20/2017
- Re: [opennic-discuss] Browser extension, Daniel Shirley, 09/20/2017
- Re: [opennic-discuss] Browser extension, rouben, 09/26/2017
- Re: [opennic-discuss] Browser extension, Dmitry S. Nikolaev, 09/26/2017
- Re: [opennic-discuss] Browser extension, Jonah Aragon, 09/26/2017
- Re: [opennic-discuss] Browser extension, Al Beano, 09/26/2017
- Re: [opennic-discuss] Browser extension, Amrit Panesar, 09/26/2017
- Re: [opennic-discuss] Browser extension, Dustin Souers, 09/30/2017
- Re: [opennic-discuss] Browser extension, Rouben, 09/30/2017
- Re: [opennic-discuss] Browser extension, vv, 09/30/2017
- Re: [opennic-discuss] Browser extension, Al Beano, 09/30/2017
 
 
- Re: [opennic-discuss] Browser extension, rouben, 09/26/2017
 
- Re: [opennic-discuss] Browser extension, Daniel Shirley, 09/20/2017
 
- Re: [opennic-discuss] Browser extension, Al Beano, 09/20/2017
Archive powered by MHonArc 2.6.19.
