The Ambitious Plan To Reinvent How Websites Get Their Names (technologyreview.com) 178
When you type in a URL to your browser and press "enter," your browser sends that name to a network of computers called the Domain Name System (DNS), which converts it into IP addresses. These numbers are what allow your browser to find the right server on the internet and connect to it. When you navigate to a website, you are trusting a handful of organizations that have been charged with keeping the DNS working and secure.
"To people like Steven McKie, a developer for and investor in an open-source project called the Handshake Network, this centralized power over internet naming makes the internet vulnerable to both censorship and cyberattacks," reports MIT technology review. "Handshake wants to decentralize it by creating an alternative naming system that nobody controls. In doing so, it could help protect us from hackers trying to exploit the DNS's security weaknesses, and from governments hoping to use it to block free expression." From the report: The system would be based on blockchain technology, meaning it would be software that runs on a widely distributed network of computers. In theory, it would have no single point of failure and depend on no human-run organization that could be corrupted or co-opted. Handshake's software is a heavily modified version ("fork") of Bitcoin, and just as Bitcoin's network of miners protects the cryptocurrency from manipulation and makes it virtually impossible for authorities to shut down, a similar network could keep a permanent, censorship-resistant record of internet names. The Handshake team is far from the first to try to create a decentralized naming system for the web. But unlike previous efforts, Handshake isn't trying to replace DNS but work with it.
Besides ICANN, there's yet another class of organization whose job Handshake aims to decentralize. See that little padlock icon in your browser bar, to the left of the domain name? That means your computer has verified that your connection to this website is encrypted and that the site is authentic, not a fake one designed by a criminal trying to steal your login credentials. It does that by checking the veracity of a string of numbers called the site's digital certificate, issued by one of a number of so-called certificate authorities. These entities, many of which are for-profit companies, are crucial to internet security. They can also get hacked. And if one gets breached, and an attacker can start issuing fake certificates, it undermines the security of the whole internet. But if website names are managed on a tamper-resistant blockchain, then you don't need certificate authorities; the naming system itself can provide the guarantee that the site you're connected to is real. That's what Handshake aims to do.
"To people like Steven McKie, a developer for and investor in an open-source project called the Handshake Network, this centralized power over internet naming makes the internet vulnerable to both censorship and cyberattacks," reports MIT technology review. "Handshake wants to decentralize it by creating an alternative naming system that nobody controls. In doing so, it could help protect us from hackers trying to exploit the DNS's security weaknesses, and from governments hoping to use it to block free expression." From the report: The system would be based on blockchain technology, meaning it would be software that runs on a widely distributed network of computers. In theory, it would have no single point of failure and depend on no human-run organization that could be corrupted or co-opted. Handshake's software is a heavily modified version ("fork") of Bitcoin, and just as Bitcoin's network of miners protects the cryptocurrency from manipulation and makes it virtually impossible for authorities to shut down, a similar network could keep a permanent, censorship-resistant record of internet names. The Handshake team is far from the first to try to create a decentralized naming system for the web. But unlike previous efforts, Handshake isn't trying to replace DNS but work with it.
Besides ICANN, there's yet another class of organization whose job Handshake aims to decentralize. See that little padlock icon in your browser bar, to the left of the domain name? That means your computer has verified that your connection to this website is encrypted and that the site is authentic, not a fake one designed by a criminal trying to steal your login credentials. It does that by checking the veracity of a string of numbers called the site's digital certificate, issued by one of a number of so-called certificate authorities. These entities, many of which are for-profit companies, are crucial to internet security. They can also get hacked. And if one gets breached, and an attacker can start issuing fake certificates, it undermines the security of the whole internet. But if website names are managed on a tamper-resistant blockchain, then you don't need certificate authorities; the naming system itself can provide the guarantee that the site you're connected to is real. That's what Handshake aims to do.
"Blockchain" (Score:2, Insightful)
'nuff said.
Re: (Score:3)
How is this suppose to end DNS?
Fine we get a blockchain key, all fine and good... But am I going to remember Google is FE8ABCCD391299FE and Slashdot is EF44656ABD43ABD3
It will seem that shortly this will be become too unwieldy and will need some sort of Domain Name System to help Map the Block Chain Key with a common name that we can easily remember.
Re: (Score:2)
How is this suppose to end DNS? Fine we get a blockchain key, all fine and good... But am I going to remember Google is FE8ABCCD391299FE and Slashdot is EF44656ABD43ABD3 It will seem that shortly this will be become too unwieldy and will need some sort of Domain Name System to help Map the Block Chain Key with a common name that we can easily remember.
The current system is a bit more complicated than that. The busiest host names (such as www.google.com) have multiple computers answering to that name. When I resolve www.google.com it may be different than when you resolve google.com. Then we have the mess of both ipv4 and ipv6 in the wild, so we have addresses based on which protocol version you use.
Re: (Score:3)
Re: (Score:2)
blockchain, cloud, devops, agile
Re: (Score:2)
Re:"Blockchain" (Score:5, Insightful)
There are ways to do a block chain and not burn through a lot of electricity. It's all in the implementation. There are chain implementations that don't use mining to be able to add new nodes. Although, 'fork of bitcoin' doesn't inspire a lot of trust in that regard...
Re: "Blockchain" (Score:5, Informative)
It's not new, either. "Namecoin" has been around for 8 years now. This is the same concept with a new name, and unlikely to do any better.
Title had an error (Score:2, Insightful)
Fixed:The Futile Plan To Reinvent How Websites Get Their Names
File it with change keyboards from QWERTY and move the US to metric system
Re: (Score:2)
Converting plumbing and electrical to metric would not be that onerous. For example a 3/4" Schedule 40 steel pipe is exactly the same as the 20 DN pipe used in Europe. It has an ID of 0.824" and an OD of 1.05". And the US already measures electricity in watts and kilowatts, the same as in metric countries.
The tangible value to me would be more efficient calcula
Re: (Score:3)
Re: (Score:2)
Blockchain here isn't about value, it's about auditing. Proof of work isn't the point, participation and transparency are.
Besides, the line "The system would be based on blockchain technology, meaning it would be software that runs on a widely distributed network of computers." proves someone writing the headline/article either ascribes features to blockchain that aren't real, or have no good idea how it all works.
Oh, and DNS 'runs on a widely distributed network of computers'. What was the point? Oh yeah,
Re: (Score:2)
I don't know man, I just don't get it. The whole point seems to be about judging between different versions of the truth.
The only thing that prevents someone asserting an alternative, albeit consistent version of history is the fact that they have to get lots of other sources to agree with them and there is a significant cost involved to be considered a bone fide a source.
If there were little or no cost involved anyone could simply spin up sufficient VMs to become > 51% of the total and their version of
Re: (Score:2)
This implementation uses mining. "Mining" is just a name for incentivizing proof of work, but proof of work is about verifying the integrity of the blockchain data.
https://handshake.org/faq [handshake.org]
Does NOT replace certificates (Score:5, Informative)
> I'm all for an alternative to ICANN, VeriSign and DNS, but really
Unfortunately this does NOT replace certificates. It's only a different way of propagating DNS. Even DNS-SEC does not mean you don't need certs.
There's this little problem called "man in the middle". That's what TLS certs are for. Without a TLS cert, your browser can ask the local router to please connect you to 1.2.3.4 and you can know that is the right IP, but you don't know if the local access point is recording or changing the communication. WiFi is the most obvious example - the wifi hotspot you are connected to might be in that backpack the suspicious looking guy is wearing. And it can record or modify all of your traffic, unless there is a trustworthy certificate.
Not just the local router, but a bad guy may have infiltrated any of the network between you and the server. A bad guy might even be a VP at your ISP.
Without a cert and TLS or ipsec, you'd be trusting not only the server you're connecting to, but all of the multiple networks in between.
Cert on the chain? No (Score:3)
I know, I know. Somebody is going to say "just put the cert on the block chain".
Okay so I generate a certificate for Microsoft.com and put it on the block chain. Now what? You trust it because somebody published it to thr chain?
When you say "put it on the block chain" the question becomes WHO puts it on the chain? It's only useful if a globally trusted party puts it there and it's provide that it was added by that trusted party - a certificate authority. But if you have a trusted party they can just sign t
Re: Cert on the chain? No (Score:3)
Re: (Score:2)
Re: (Score:2)
According to their FAQ, it allows self-signed certificates to be trusted, because the trust chain can be traced to the registration of the domain.
DNS has an additional feature that allows you to verify TLS certificates by storing a hash of your ‘SubjectPublicKeyInfo’. This means that there is now a P2P way to trust self-signed certificates, as long as they have a valid DNSSEC trust chain set up. Anyone can set up a valid trust chain without having to ask anyone's permission to do so.
https://handshake.org/faq [handshake.org]
DNSSEC requires Verisign, trusted ISP, wifi (Score:3)
> as long as they have a valid DNSSEC trust chain set up.
DNSSEC, in turn, requires trusting Verisign, for . Com, and whichever root. You've only added more points of failure.
Since Windows has only a stub resolver, you also have to trust the WiFi and the ISP.
It's turtles all the way down.
Re: (Score:2)
DNSSEC, in turn, requires trusting Verisign, for . Com, and whichever root.
Not on Handshake - it would require trusting Handshake's blockchain proof of work.
Since Windows has only a stub resolver, you also have to trust the WiFi and the ISP.
What part of this would use the OS built-in resolver?
Re: (Score:2)
> Not on Handshake - it would require trusting Handshake's blockchain proof of work.
How, precisely, do you think proof of work proves that I am (or am not) a representative of Microsoft?
The only thing the blockchain can prove is *when* I said "I am the security admin for Microsoft". It cannot prove whether that statement is true, only that I made the statement.
Re: (Score:2)
Just like any DV validated SSL cert, it only proves that the keys were generated by the entity that also registered the domain. Except the organization can easily revoke by generating a new key and issuing new certs.
And the only thing that matters for SSL certificates is that you're connecting to that same entity. Anything else is a problem to solve elsewhere.
Re: (Score:2)
DNSSEC could replace domain validated certs. DNSSEC is enough to ensure the integrity of DNS records you get.
Yes someone could still muck with routing/ARP etc and intercept your traffic. The answer to that is to also put the servers public key in DNS records of some sort, maybe TXT maybe something new. You can know that is really the public key put their by whoever signed the zone and you can know your connection to the server is not being MITMed either because it will have the private key to produces me
dns traffic is traffic. Reduces security. (Score:2)
> Yes someone could still muck with routing/arp etc and intercept your traffic.
Including your DNS traffic!
> The answer to that is to also put the servers public key in DNS records of some sort. You can know that is really the public key put their by whoever signed the zone
[Continued in the next post because Slashdot's lameness filter sucks.]
What you would know then is that whoever sent you dns answers provided that public key. That only proves that the person who mitm the dns is the person who mitm
Re:dns traffic is traffic, continued (Score:2)
> This will tell you at least as much as domain validated only certificate does; which (though I disagree) the rest of the internet world has settled on being "good enough"
Indeed, what the cheapest, lowest-trust certs (class 1) tell you isn't sufficient. The proposal above is even less useful. A class 1 cert says that the person who created that cert controls the DNS responses Verisign gets from their on-premises root servers. Without Vsign, you know only that the person who created the cert controls th
Re: (Score:2)
But wait, there's more. Suppose I can somehow get a fake cert. In order for that to be useful, most likely I'll redirect you to the bogus site by sending you bogus dns responses. If it's a dns TXT record that vouches for the cert, sending you bogus dns replies allows me to BOTH redirect you *and* send you a bogus cert.
If the certificate authority signs the cert, I have to trick both the CA *and* you, on two different networks.
Re: (Score:2)
Umm no, DNSSEC means you will at least know if the DNS records you are getting have been tampered with. Why because the zone is signed, and you have Verisigns cert in your local cert store to check that. You can evaluate the chain of trust for the DNS records you get back; and if that chain is okay you know exactly as much about a given web servers response using PKI information from DNS as you do with a traditional DV server certificate.
Re: (Score:2)
> you have Verisigns cert in your local cert store to check that. You can evaluate the chain of trust for the DNS records you get back
If you trust Verisign, and trust the chain, you trust the cert - whether you got it from DNS or from the web server as normal. Adding the cert to the DNS has gained you nothing in terms of trusting the cert. It has only added points of failure, and little latency on the DNSSEC side.
Re: (Score:2)
IP v6.
Using bitcoins blockchain? (Score:5, Informative)
Does that mean it'll take 30 mins to do a lookup then?
Joking aside, no one having control might sound good but in reality it could mean chaos and an inability to rectify mistakes easily if at all. If someone grabs your address when youforget to renew after it expires (and how will expiration work?) how will you get it back from them if its all distributed?
Re:Using bitcoins blockchain? (Score:4, Interesting)
How much memory does your browser use today? Well soon it'll need an extra few gig just to store its DNS lookups!
Or, I know, we can offset that by moving the blockchain ledger to anorther server and letting your broswer do a lookup via an API request, and maybe we could then put older parts of the blockchain on different servers and.... oh...
Re:Using bitcoins blockchain? (Score:4, Interesting)
Plus, as long as you're using words to describe websites, you'll need some way of dealing with multiple sites wanting the same word. What will happen if Widgets, Inc. wants people to get to their site when "widget" is typed, but Wholesome Widgets wants the same? Do they both get the name and it's a toss up whose site you get to? Does one person get the name? Who decides who gets it? What happens if Evil Scammer grabs the name first and one (or both) of the valid companies is trying to get it back?
Re: (Score:2)
how will expiration work
Why do domains expire anyway? Is it just a money grab by the companies?
.
Re: (Score:2)
Re: Using bitcoins blockchain? (Score:2)
Why do you think the name will expire?
Re: (Score:2)
Re: Using bitcoins blockchain? (Score:2)
I don't think you understand how a Bitcoin style blockchain works. The entire chain is public. You can't charge for access. Monetization comes into play during mining. You will pay for a domain name, and the miner who mined the block and added it to the public chain will take your money. After that, it becomes part of the permanent record.
Re: (Score:2)
The summary is misleading. But the FAQ on the project web site is a little more clear:
DNS has an additional feature that allows you to verify TLS certificates by storing a hash of your ‘SubjectPublicKeyInfo’. This means that there is now a P2P way to trust self-signed certificates, as long as they have a valid DNSSEC trust chain set up. Anyone can set up a valid trust chain without having to ask anyone's permission to do so.
Re: (Score:2)
Phew (Score:4, Funny)
For a moment I thought it was being serious but then right there in the summary it says that this is all a silly April Fools joke:
"The system would be based on blockchain technology"
New? ... How is this different from Namecoin? (Score:5, Interesting)
How is this different from Namecoin [namecoin.org]?
That's an honest question. What does this solve that Namecoin doesn't?
Re: (Score:3)
Re: (Score:2)
That's an honest question. What does this solve that Namecoin doesn't?
NIH.
*I* know what MINE does, it's obvious. I can't figure out what YOURS does, it's so confusing. So I solved the problem... (for me and the ENTIRE WORLD. Or at least the former.) Ob pic [xkcd.com]
Straight to Blockchain Plaid. (Score:2)
Since we skipped over DNSSEC and went straight to Buzzword Blockchain Plaid, why don't we start talking about IPv9 migration too.
DNS needs some securing. We've known this for literally decades now. Enhancing host files with encryption seems like a dumb way to do it.
Re: (Score:3)
I think you missed the entire concept. This is about decentralizing *who* decides who owns what name. Essentially those who value a name most get it. Yep...it is supply/demand at its worst (or best), but I think it might be better than having ICANN or some other organization arbitrarily decide who gets to own XXXXX.amazon.
DNSSEC is about preventing certain attacks such as DNS cache poisoning, but it still depends on someone deciding who gets a particular DNS address. It will prevent people from doing "
Re: (Score:2)
I think you missed the entire concept. This is about decentralizing *who* decides who owns what name. Essentially those who value a name most get it. Yep...it is supply/demand at its worst (or best), but I think it might be better than having ICANN or some other organization arbitrarily decide who gets to own XXXXX.amazon.
I can't think of a more dangerous and idiotic concept. It's like people never learn. Always the tech heads who think they are being clever with protocol design and "new" ideas while completely ignoring governance. Here ignorance is deliberately explicit.
Look at me. I run a criminal enterprise and I own a botnet ... I can outbid all of you motherfuckers because I have more CPU cycles than you do. Then I'll turn around and use all of my new domains to fuck you all over even more. Great idea.
As for Arbit
Re: (Score:2)
Or Tor, which uses a DHT, with extra CPU requirements I assume.
FTFY (Score:5, Insightful)
"Handshake wants to decentralize it by creating an alternative naming system that nobody uses"
Re: (Score:2)
All they need to do is convince the major browsers (Chrome, Firefox, MSIE, Safari) to resolve with the Handshake blockchain before the current DNS and then EVERYBODY will use it. Or get some of the major DNS servers to put there Handshake process on UDP53.
While getting a browser extension downloaded to every browser is certainly a daunting task, this should not be about convincing the individual users...a few select entities can be the critical mass to jumpstart this. While DNS is used for a lot of things
first time (Score:2)
maybe the first time i was actually thinking; this looks like an interesting and useful implementation of blockchain.
Comment removed (Score:3)
Re: (Score:3)
In my view LE has a been a disaster for security. Not that a lot of the other CAs were not running around selling domain validated only certs just so they could create the EV cert racket but LE has basically removed even the potential one might be able to follow the money back to who paid for the cert in the case of a malicious actor. Now than of course someone could have used a prepaid card etc; but the browser/OS/etc vendors should have the CAs to a standard of at least not accepting those things as wel
Re:That SSL licence? (Score:4, Insightful)
However I don't agree with this, at least not completely but generally I see the point:
The biggest issue IMHO is that LE will sign anything
Which in a way the next sentence almost goes with my opinion:
Because all the cert really says is that yes you are connected to the machine that really is slsshdot.org not anything about who that is and if they are trust worthy.
That is all a certificate should do. The result is we can count on more sites having encryption than ever before. While some trust factor would be nice, that should be left up to someone else. That is what SSL and TLS are for. Extended validation and other things were nice but were always a false security indication. And Google contributes to this false security indication. Sites with valid encryption should display as Encrypted/Not Encrypted (or replace Encrypted with Private). But instead, Google put "Secure/Not Secure" which is part of what your concern is.
SSL and TLS have no business telling the visitor they can trust the owner of the site, nor more than they can assure you that the food purchase from pets.com will be great for your dog. That is the job of another technology. SSL and TLS are encryption, and that is what they do. I think Let's Encrypt did a good thing by ensuring more and more sites won't be subject to MITM attacks. I do miss the trust factor of the extended validation that was once popular, but I've realized over time that it was sustainable to being misused too, and I am happy to see that and encryption decoupled from each other. Let something else rise up and gain server and browser support.
Re: (Score:2)
In my view LE has a been a disaster for security.
Is that because you didn't understand the scope of the DV certificate until someone actually proved you can meet 100% of the requirements without money changing hands? Seriously following money has rarely worked, when when it's worked the money involved has had to be in the millions and the effort involves months of federal agencies putting in serious legwork.
No one who's little scam relies on LE's free certificate was ever at risk due to buying a certificate in the past.
Re: (Score:2)
I di not need to show any ID
Of course not. You rarely need to show any ID for a DV certificate. What you did show through following their how to is that in the process of requesting the certificate you actually had control of the server. That's the only thing a DV certificate certifies.
Good goal (Score:2)
but it's almost the worst way to achieve it.
This is the opposite of the problem. (Score:5, Interesting)
The problem with DNS is that it isn't well regulated. The main .com namespace was overrun a decade ago by shitty companies mass registering every combination of words in the dictionary forcing companies to look to even less trusted name spaces like io, or using gibberish company names. Gablarble.io sort of junk. And if you forget to reregister, forget having a mad monday morning scramble to pay the bill, squatters own it and will ransom the name for sillly oney. This has to change
The DNS registrars should have been insisting on proper company registrations and policing squatters and preventing third party reregistration for at least a few months. Blockchain cant solve this. Only good dnssec and legislation egislation can
Certs are different. The problem is the resgistration cartels charging silly money. Lets Encrypt has gone some way to fix that, but even fixing the problem of stolen certs its still not clear how t tell if the legitimately signed site is, well legit. This should be replaced with a web of trust concept. Let Visa and Mastercard sign sites that process cards. Let the AMA or the Royal college of surgeon sign medical sites. Let the Govt sign govt sites. If I want to start my own network of sites, let me sign them
And then the browser user can decide if they trust the banks, or the govt, or the doctors or if they trust me, or whatever. And if they dont trust them, then great, dont trust the site and present the browser owners some options on what to do next. No more cert cartels, and the people certifying sites are the people with the expertise in the area. Web of trust.
Re: (Score:2)
Wish I had mod points for you today.
Re: (Score:2)
"That's less than 0.004% of all possible 8 character domain names, for example. There's plenty of room."
The abundant availability of domains like "ds1c8t5y.com" and "nuk98w7j.com" is not really a meaningful metric.
How do you generate reality? (Score:2)
the naming system itself can provide the guarantee that the site you're connected to is real
No it can't, it can maybe guarantee others have vouched for your reality but as we see in politics, that doesn't mean much in regards something being a fact/reality.
It's a permanent registration system so if I own BankofAmerica first, I can pretend to be BoA regardless of whether the rest of the world agrees with me unless you want a system where names can be arbitrarily removed and changed by some minority consensus
Blockchain based? (Score:4, Funny)
Blockchain is a ledger it is not magic (Score:4, Interesting)
> if one [cert authority] gets breached, and an attacker can start issuing fake certificates... But if website names are managed on a tamper-resistant blockchain...
How is issuing unauthorized but valid certs any different than publishing unauthorized but valid blockchain events?
and how much of the entire ledger does every participant have to keep on their workstation ? Just the tip? How much bandwidth will be consumed by my constant downloading of new blocks as people publish new updates? Blocks that hold records I will never, ever use in requests but I will need to validate sequential blocks that might have the answers I need. If I don't want to have a constant drain on my bandwidth, then I'm trusting someone else to hold the ledger for me, and I'm not significantly better-off than I was with DNS.
Re: (Score:2)
Assange had a far better concept .. web address as a hash function of the url. A bit of math and you're done, and you are visiting the correct url by default then.
Except now you also need to replace the addressing system with one that's not hierarchical at all. Oh, and it only solves the problem of converting the name to an address... you still have no way to verify that the server you reach is actually the one at that address.
51% attack (Score:3)
This would still be vulnerable to the 51% attack.
Could a widespread botnet take this over? Or a large country like China?
Nothing on the Internet is 100% secure. If there are enough machines worldwide working on this blockchain then a 51% attack would be difficult to achieve. But it's a big ask.
Also, do you really want your phone, laptop, and/or router working on this in order to keep it secure, and thus using up battery power and electricity?
epic bullshit detected (Score:2)
the DNS system is all those things that the pseudo arguments of this solution in search of a problem pretends to do...
Wha? (Score:2)
The summary is pure word salad. There might be something useful here but the summary does not motivate me to read it.
The part about replacing certificates is especially amusing. One way or another, you need to have some authority certifying that such as such site is "valid". Magical blockchain fairy dust will not change that.
How browsers RESOLVE website names (Score:2)
Not how a website "gets its name".
Re: (Score:2)
Remember, this was probably written for an audience that invests in blockchain projects.
So blockchains are gonna do DNS resolutions? (Score:2)
In other words, a DNS resolve will take somewhere between a couple hours to a couple days, but at least you can be sure that your provider will not block the latest ransomware trojan trying to resolve fuewfhwe34hjerkjasdfdaiofasd.cn.
A, the buzzword strikes again! (Score:3)
Blockchain! Synergy! Paradigm shift!
What a load of horse shit.
-Miser
Re: (Score:2)
hey don't scoff it's Web 3.0 and Cloud Enabled
Think Of The Embedded, Children! (Score:2)
not compatible with current DNS...it will not work (Score:2)
Re: (Score:2)
We have had to block it, as it breaks our internal blacklist.
Nope (Score:2)
I'll just register Google.com on this .... (Score:2)
...and no-one can ever take it off me ...
Definitions (Score:2)
I'm often amazed by what Slashdot story summaries choose to define and what they don't. Name for Linux distribution specific to tracking frogs? Everybody knows FTINUX. Fundamental internet protocol? Better define that one.
Literally nobody cares (Score:2)
With the proliferation of TLDs, you can't be sure a domain name takes you to where you want to go. For instance, up until recently dicks.com [slashdot.org] took you to a porn site instead of a sporting goods store.
Everyone already does a search on their favorite search engine, even if they are reasonably sure they know the domain name. This prevents typo-squatting and obscure urls from being a problem.
It's like no one remembers the problems (Score:3)
"Decentralized authorities" are one of those terms that people have forgotten a lot about. They used to be everywhere, and civilization determined them to be horrendously evil, and hence centralized systems emerged instead.
Great, so you've covered DNS (which works just fine), and you've covered SSL Certificates (a system that's more broken than any I've ever encountered).
Now, when an authorized site is suddenly determined to be run by criminals, how do we shut it down? How do we remove it from handshake? You have an answer? That's great!
Now, how do we stop criminals from shutting down legitimate sites?
Those two sides of the same problem are possibly the reason that centralized systems are necessary. It's a feedback loop that never ends.
Now, criminals shut down a legitimate site, how do we bring it back?
Oops, it actually wasn't legitimate, take it down again!
Okay, they've paid the fine and fixed the problem, and it wasn't their fault to begin with, put it back up.
A central authority makes all of that possible, and potentially very easy and very expedient. Tell me how your decentralized authority handles repeated challenges to legitimacy.
It's the wild wild west all over again. That's why we took power away from sheriffs, and gave it to courtrooms.
Handshake aims to become another reputation-based system suffering from yet another mob mentality.
Re: (Score:2)
Great, so you've covered DNS (which works just fine)
DNS doesn't work "fine" at all. It's vulnerable to both technical and legal attacks, not to mention riddled with various kinds of exploitative squatters, and that's when the single point of failure that controls it all does its job correctly (which it does, but that could change tomorrow).
and you've covered SSL Certificates (a system that's more broken than any I've ever encountered)
The TLS certificate infrastructure is not badly broken. It has some weaknesses, but all in all it works fine. About on par with DNS, though the weaknesses are of different types. The choice of ASN.1 DER encoding for cert
Re: (Score:2)
DNS works fine because it's been running the entire internet for eons now. You can't argue with the kind of success that comes from every single connection ever always. And you certainly can't argue it with "that *could* change tomorrow".
TLS certificates are incredibly broken. It costs me $40 for a certificate. Any credit card will be accepted. Zero proof of identity. The actual certificate provides absolutely nothing more than to stop browser warnings to my customer. It offers zero actual value to a
Re: (Score:2)
TLS certificates are incredibly broken. It costs me $40 for a certificate. Any credit card will be accepted. Zero proof of identity.
Nonsense. (1) You can get a certificate for free (letsencrypt.org) and (2) the identity attested in the certificate -- namely, the domain name -- is proven. You have to prove that you have control of the DNS registry record, or (not quite as good, but okay) you have to prove that you have control of a server at the specified domain.
So what that cert proves (to a sufficient, but not perfect level, as your examples point out) is that the domain name the user typed into their browser is the same as the dom
Re: (Score:2)
You are confusing SSL with the SSL certificate. SSL ensures that the data wasn't modified in-transit. Over and above that, the certificate does nothing more than to say that someone paid to purchase the certificate, for a domain that they paid to purchase. happyb1.com, happyb-1.com, and happy-b1.com, you go to it, it's secure. Tells you nothing. Gives you zero recourse when they steal your money.
And I've done plenty of research and trials with let's encrypt. It's way more expensive than $40 once a year
Perhaps the solution is a matter of user option. (Score:2)
So as a User I select which name translation method I want to use in the browser, for sites I visit, or some combination to potentially expose a problem to alert me to be cautious of a site or expose censorship. Two ways of checking viability of site if so determined need to?
power grab (Score:2)
Silly. (Score:2)
If you want your own "ledger" there's nothing stopping you from keeping your own DNS list now.
Re: (Score:2)
More decentralized blockchain bullshit (Score:2)
The primary issues with DNS are ICANN and piss poor protocol design.
Lets fix that not ignore all responsibility and mistake total anarchy for progress.
Uhhh... DNS is already distributed (Score:2)
The DNS is already distributed. You can run your own server if you want, and you can even change slashdot.org to hellokitty.com on your own server if you want to. You can even make that public and tell people to point their DNS clients to your server. It just turns out that there's almost no demand for that, except maybe for the occasional hack just for grins and giggles. Having an alternative DNS that requires us to bring a new nuclear plant online for "the power of blockchains" should fail hard.
Re: (Score:2)
Interesting how many who do not quite understand how DNS works...
Ok, so who edits it? (Score:2)
But if website names are managed on a tamper-resistant blockchain
OK, if it is 'tamper-resistant', then how do you make changes and edits? If Bob wants to say bob.com is at 1.1.1.1, but Bobby ALSO wants to have bob.com point to 1.1.1.2... who is correct? Who controls this?
DNS over HTTPS (Score:2)
Also: With a lack of implementation of the available security meaures in DNS, the world is definitely not ready for the massive work needed for another name resolution protocol.
As any new name resolution technology will need a fallback to classic DNS anyway, the adoption will be worse than IPv6.
Re:DNS is not perfect, but.... (Score:5, Informative)
Also note that he isn't actually going to rearrange the IP system. DNS is effectively a GUI for IPv4/6, creating an easy-to-remember alias for an essentially random string of numbers. But if you know those numbers you can STILL access that particular site no matter how corrupted the DNS system becomes.
Re: (Score:2, Informative)
Unfortunately, name-based hosting means that in order to access a site this way you'll at least have to simulate (with hostfiles, a local DNS server or whatever) DNS pointing to the site you want to go to, because the HTTP and HTTPS schemes don't allow you to stipulate both the name and the IP address at the same time.
Re:DNS is not perfect, but.... (Score:5, Informative)
This is not exactly correct since it is possible for different sites to have the same IP and use the host field in the HTTP request to know which site to serve.
Comment removed (Score:5, Informative)
Re: (Score:3)
Just none of the hyperlinks are going to work...
Re: (Score:2)
Unless you link to the IP, which can be a thing.
Re: (Score:2)
CRC is not useful for data integrity. If I assume 32 bits, you can choose any 4 bytes to modify, choose value for 2 if not 3, and calculate the other 1 or 2 bytes to get a valid CRC32. Multiply by 2 for 64 bits.
I assume you meant some sort of cryptographically secure hash.
Crc 32, most common in zip files, is decent at detecting file damage, but that is not data integrity.