Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Delist OpenNIC & NameCoin #1273

Merged
merged 1 commit into from Sep 7, 2019

Conversation

@Mikaela
Copy link
Member

commented Sep 6, 2019

Description

Resolves: #1258

While OpenNIC and Namecoin allow private domain registration, I am let to understand that they cannot get SSL certificates, that are globally recognised as valid, due to their nature as an alternative to ICANN managed DNS.

If I am correct, this results to them either not having https/TLS at all or teaching users to blindly accept any SSL certificates, either announcing in plaintext to any network listener (or Tor exit node) what they are doing or leaving them vulnarable to MITM attackers. Thus I don't consider them as private.

See also:

Check List

@Mikaela Mikaela added the 🗄️ dns label Sep 6, 2019

@Mikaela Mikaela requested a review from privacytoolsIO/editorial Sep 6, 2019

@Mikaela Mikaela self-assigned this Sep 6, 2019

@netlify

This comment has been minimized.

Copy link

commented Sep 6, 2019

Deploy preview for privacytools-io ready!

Built with commit caea706

https://deploy-preview-1273--privacytools-io.netlify.com

@Mikaela

This comment has been minimized.

Copy link
Member Author

commented Sep 6, 2019

It appears that I am not entirely correct in case of Namecoin judging by https://wiki.namecoin.org/index.php?title=Domain_Name_Specification#TLS_support, however

That later part is tricky, as most TLS clients are designed to work with a centralized trust model. It is recommended that Namecoin client software generate a unique self-signed certificate and install it as a trusted root Certificate Authority in the appropriate TLS clients, such as web browsers. Once that initial setup is done, Namecoin client software can use that root certificate to generate TLS certificates that browsers will accept. Namecoin client software should cache such generated certificates and reuse them as needed.

I think installing root certificates is dangerous as those have leaked in the past and probably will also in the future.

@nitrohorse
Copy link
Member

left a comment

LGTM

@blacklight447-ptio
Copy link
Member

left a comment

Looks ready for merging.

@blacklight447-ptio blacklight447-ptio merged commit 4a37dd3 into privacytoolsIO:master Sep 7, 2019

3 of 6 checks passed

Header rules No header rules processed
Details
Pages changed 4 new files uploaded
Details
Redirect rules No redirect rules processed
Details
Mixed content No mixed content detected
Details
Travis CI - Pull Request Build Passed
Details
deploy/netlify Deploy preview ready!
Details

@blacklight447-ptio blacklight447-ptio deleted the Mikaela:rm-insecure-dns branch Sep 7, 2019

@Mikaela Mikaela restored the Mikaela:rm-insecure-dns branch Sep 7, 2019

@Mikaela

This comment has been minimized.

Copy link
Member Author

commented Sep 7, 2019

While this was already merged, another argument I happened to thought of against Namecoin is that I have heard them often encouraging DNS servers that are capable of resolving Namecoin domains, and I understand that in that case there wouldn't even be the root CA installed resulting to security issues.

@Mikaela Mikaela deleted the Mikaela:rm-insecure-dns branch Sep 8, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.