Skip to Content.
Sympa Menu

discuss - [opennic-discuss] OpenNIC Browser Extension & Future of OpenNIC and SSL, Convergence

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

[opennic-discuss] OpenNIC Browser Extension & Future of OpenNIC and SSL, Convergence


Chronological Thread  
    < Chronological >       < Thread >
  • From: William Grieshaber <vanguardit AT vanguardit.services>
  • To: discuss AT lists.opennicproject.org
  • Subject: [opennic-discuss] OpenNIC Browser Extension & Future of OpenNIC and SSL, Convergence
  • Date: Thu, 28 Jan 2021 01:51:32 -0600
I think OpenNIC & peers could benefit from an open-source extension that fetches DoH, and DoT enabled OpenNIC nodes from the publicly accessible server list based on configurable parameters(NoLog, NoWhitelist), and perhaps bundled or designed into it we could provide SSL verification mechanism if current extension API technology allows... Convergence is an abandoned project from Moxie Marlinspike that attempted to solve the SSL/CA issue we find ourselves with today with a pretty novel solution. Using distributed and publicly ran notary's that verify self-signed SSL certificates and accompanying configurable browser extensions that allow you to select the notaries, number of notary responses required, and consensus requirements of those notaries that based upon those requirements would either inject it's trusted cert, or trust the self signed cert for duration of session. Perhaps non DNSSEC enabled zones could also benefit from a distributed notary consensus system for regular DoH & DoT queries to prevent certain attacks?

What is Convergence? https://en.wikipedia.org/wiki/Convergence_%28SSL%29

Learn more, https://web.archive.org/web/20160803195327/http://convergence.io/

Moxie's BlackHat USA 2011 Talk on SSL & Authenticity, https://www.youtube.com/watch?v=Z7Wl2FW2TcA

Possible Project Infrastructure

OpenNIC Chrome & Firefox Extension Client Side
-- Optional anonymity baked in via tor
-- Notary & OpenNIC Instances Configurable or Auto Fetched from public Notary list
-- Notary & Resolver Requirements(m-of-n consensus requirements, node reliability requirements)
-- Notary/DNS instance benchmarking & fetching from public lists
-- Alerts on client for notary SSL or DNS answer mismatch

Public Notary Instances(Tor Compatible) Server Side

Notary flow: Client sends request, visit requested site with self-signed SSL cert, verify meets modern SSL security standards, return result to client

Client flow: visit requested site with self-signed SSL cert, send to configured notaries, wait for answers, compare answers, trust cert or inject trusted cert.

DoH & DoT Verification would work similarly.

I'm sure there are issues, technological improvements, and more ideas. I would love to hear them and get like minds thinking of solutions to the problem at hand, promote adoption, and provide novel privacy and freedom respecting solutions to longstanding web problems

--
Thank you,
William
Vanguard I.T. Services


  • [opennic-discuss] OpenNIC Browser Extension & Future of OpenNIC and SSL, Convergence, William Grieshaber, 01/28/2021

Archive powered by MHonArc 2.6.19.

Top of Page