Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
The Internet Bitcoin Encryption Open Source Privacy Security Technology

The Ambitious Plan To Reinvent How Websites Get Their Names (technologyreview.com) 178

Posted by BeauHD from the behind-the-scenes dept.
When you type in a URL to your browser and press "enter," your browser sends that name to a network of computers called the Domain Name System (DNS), which converts it into IP addresses. These numbers are what allow your browser to find the right server on the internet and connect to it. When you navigate to a website, you are trusting a handful of organizations that have been charged with keeping the DNS working and secure.

"To people like Steven McKie, a developer for and investor in an open-source project called the Handshake Network, this centralized power over internet naming makes the internet vulnerable to both censorship and cyberattacks," reports MIT technology review. "Handshake wants to decentralize it by creating an alternative naming system that nobody controls. In doing so, it could help protect us from hackers trying to exploit the DNS's security weaknesses, and from governments hoping to use it to block free expression." From the report: The system would be based on blockchain technology, meaning it would be software that runs on a widely distributed network of computers. In theory, it would have no single point of failure and depend on no human-run organization that could be corrupted or co-opted. Handshake's software is a heavily modified version ("fork") of Bitcoin, and just as Bitcoin's network of miners protects the cryptocurrency from manipulation and makes it virtually impossible for authorities to shut down, a similar network could keep a permanent, censorship-resistant record of internet names. The Handshake team is far from the first to try to create a decentralized naming system for the web. But unlike previous efforts, Handshake isn't trying to replace DNS but work with it.

Besides ICANN, there's yet another class of organization whose job Handshake aims to decentralize. See that little padlock icon in your browser bar, to the left of the domain name? That means your computer has verified that your connection to this website is encrypted and that the site is authentic, not a fake one designed by a criminal trying to steal your login credentials. It does that by checking the veracity of a string of numbers called the site's digital certificate, issued by one of a number of so-called certificate authorities. These entities, many of which are for-profit companies, are crucial to internet security. They can also get hacked. And if one gets breached, and an attacker can start issuing fake certificates, it undermines the security of the whole internet. But if website names are managed on a tamper-resistant blockchain, then you don't need certificate authorities; the naming system itself can provide the guarantee that the site you're connected to is real. That's what Handshake aims to do.
This discussion has been archived. No new comments can be posted.

The Ambitious Plan To Reinvent How Websites Get Their Names More

The Ambitious Plan To Reinvent How Websites Get Their Names

Comments Filter:

  • "Blockchain" (Score:2, Insightful)

    by Anonymous Coward

    'nuff said.

    • How is this suppose to end DNS?
      Fine we get a blockchain key, all fine and good... But am I going to remember Google is FE8ABCCD391299FE and Slashdot is EF44656ABD43ABD3
      It will seem that shortly this will be become too unwieldy and will need some sort of Domain Name System to help Map the Block Chain Key with a common name that we can easily remember.

      • How is this suppose to end DNS? Fine we get a blockchain key, all fine and good... But am I going to remember Google is FE8ABCCD391299FE and Slashdot is EF44656ABD43ABD3 It will seem that shortly this will be become too unwieldy and will need some sort of Domain Name System to help Map the Block Chain Key with a common name that we can easily remember.

        The current system is a bit more complicated than that. The busiest host names (such as www.google.com) have multiple computers answering to that name. When I resolve www.google.com it may be different than when you resolve google.com. Then we have the mess of both ipv4 and ipv6 in the wild, so we have addresses based on which protocol version you use.

    • Ah yes, blockchain. So DNS requests can take days, instead of miliseconds.
    • @anonymous > 'nuff said.

      blockchain, cloud, devops, agile .. errr whatever the current buzz phrase is ...
    • Namecoin [namecoin.org]

  • Using bitcoins blockchain? (Score:5, Informative)

    by Viol8 ( 599362 ) on Thursday June 06, 2019 @06:06AM (#58717934) Homepage

    Does that mean it'll take 30 mins to do a lookup then?

    Joking aside, no one having control might sound good but in reality it could mean chaos and an inability to rectify mistakes easily if at all. If someone grabs your address when youforget to renew after it expires (and how will expiration work?) how will you get it back from them if its all distributed?

    • Re:Using bitcoins blockchain? (Score:4, Interesting)

      by gbjbaanb ( 229885 ) on Thursday June 06, 2019 @07:02AM (#58718078)

      How much memory does your browser use today? Well soon it'll need an extra few gig just to store its DNS lookups!

      Or, I know, we can offset that by moving the blockchain ledger to anorther server and letting your broswer do a lookup via an API request, and maybe we could then put older parts of the blockchain on different servers and.... oh...

    • Re:Using bitcoins blockchain? (Score:4, Interesting)

      by Jason Levine ( 196982 ) on Thursday June 06, 2019 @08:30AM (#58718302) Homepage

      Plus, as long as you're using words to describe websites, you'll need some way of dealing with multiple sites wanting the same word. What will happen if Widgets, Inc. wants people to get to their site when "widget" is typed, but Wholesome Widgets wants the same? Do they both get the name and it's a toss up whose site you get to? Does one person get the name? Who decides who gets it? What happens if Evil Scammer grabs the name first and one (or both) of the valid companies is trying to get it back?

    • how will expiration work

      Why do domains expire anyway? Is it just a money grab by the companies?

      .

      • Re: (Score:2)

        by jythie ( 914043 )
        People die or lose interest, companies go out of business, clubs and institutions vanish. Expiration provides a mechanism for entries to return to the common pool if no one is using them as a default rather than someone having to take explicit action to do so.

    • Why do you think the name will expire?

  • Phew (Score:4, Funny)

    by thegarbz ( 1787294 ) on Thursday June 06, 2019 @06:22AM (#58717968)

    For a moment I thought it was being serious but then right there in the summary it says that this is all a silly April Fools joke:
    "The system would be based on blockchain technology"

  • New? ... How is this different from Namecoin? (Score:5, Interesting)

    by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Thursday June 06, 2019 @06:22AM (#58717972)

    How is this different from Namecoin [namecoin.org]?

    That's an honest question. What does this solve that Namecoin doesn't?

    • Re: (Score:3)

      by jythie ( 914043 )
      It solves the authoring wanting to design their own thing rather than someone else? Designing new stuff is fun!

    • That's an honest question. What does this solve that Namecoin doesn't?

      NIH.

      *I* know what MINE does, it's obvious. I can't figure out what YOURS does, it's so confusing. So I solved the problem... (for me and the ENTIRE WORLD. Or at least the former.) Ob pic [xkcd.com]

  • Since we skipped over DNSSEC and went straight to Buzzword Blockchain Plaid, why don't we start talking about IPv9 migration too.

    DNS needs some securing. We've known this for literally decades now. Enhancing host files with encryption seems like a dumb way to do it.

    • I think you missed the entire concept. This is about decentralizing *who* decides who owns what name. Essentially those who value a name most get it. Yep...it is supply/demand at its worst (or best), but I think it might be better than having ICANN or some other organization arbitrarily decide who gets to own XXXXX.amazon.

      DNSSEC is about preventing certain attacks such as DNS cache poisoning, but it still depends on someone deciding who gets a particular DNS address. It will prevent people from doing "

      • I think you missed the entire concept. This is about decentralizing *who* decides who owns what name. Essentially those who value a name most get it. Yep...it is supply/demand at its worst (or best), but I think it might be better than having ICANN or some other organization arbitrarily decide who gets to own XXXXX.amazon.

        I can't think of a more dangerous and idiotic concept. It's like people never learn. Always the tech heads who think they are being clever with protocol design and "new" ideas while completely ignoring governance. Here ignorance is deliberately explicit.

        Look at me. I run a criminal enterprise and I own a botnet ... I can outbid all of you motherfuckers because I have more CPU cycles than you do. Then I'll turn around and use all of my new domains to fuck you all over even more. Great idea.

        As for Arbit

    • Or Tor, which uses a DHT, with extra CPU requirements I assume.

  • FTFY (Score:5, Insightful)

    by richy freeway ( 623503 ) on Thursday June 06, 2019 @06:35AM (#58718012)

    "Handshake wants to decentralize it by creating an alternative naming system that nobody uses"

    • All they need to do is convince the major browsers (Chrome, Firefox, MSIE, Safari) to resolve with the Handshake blockchain before the current DNS and then EVERYBODY will use it. Or get some of the major DNS servers to put there Handshake process on UDP53.

      While getting a browser extension downloaded to every browser is certainly a daunting task, this should not be about convincing the individual users...a few select entities can be the critical mass to jumpstart this. While DNS is used for a lot of things

  • maybe the first time i was actually thinking; this looks like an interesting and useful implementation of blockchain.

  • Comment removed (Score:3)

    by account_deleted ( 4530225 ) on Thursday June 06, 2019 @06:51AM (#58718052)
    Comment removed based on user account deletion

    • Re: (Score:3)

      by DarkOx ( 621550 )

      In my view LE has a been a disaster for security. Not that a lot of the other CAs were not running around selling domain validated only certs just so they could create the EV cert racket but LE has basically removed even the potential one might be able to follow the money back to who paid for the cert in the case of a malicious actor. Now than of course someone could have used a prepaid card etc; but the browser/OS/etc vendors should have the CAs to a standard of at least not accepting those things as wel

      • Re:That SSL licence? (Score:4, Insightful)

        by kingbilly ( 993754 ) on Thursday June 06, 2019 @12:47PM (#58719870)
        I also agree that Google and others are wrong in hiding the location bar. Pain the in butt to copy and paste when you didn't want the protocol in the clipboard, but you can't not select it.

        However I don't agree with this, at least not completely but generally I see the point:
        The biggest issue IMHO is that LE will sign anything
        Which in a way the next sentence almost goes with my opinion:
        Because all the cert really says is that yes you are connected to the machine that really is slsshdot.org not anything about who that is and if they are trust worthy.

        That is all a certificate should do. The result is we can count on more sites having encryption than ever before. While some trust factor would be nice, that should be left up to someone else. That is what SSL and TLS are for. Extended validation and other things were nice but were always a false security indication. And Google contributes to this false security indication. Sites with valid encryption should display as Encrypted/Not Encrypted (or replace Encrypted with Private). But instead, Google put "Secure/Not Secure" which is part of what your concern is.

        SSL and TLS have no business telling the visitor they can trust the owner of the site, nor more than they can assure you that the food purchase from pets.com will be great for your dog. That is the job of another technology. SSL and TLS are encryption, and that is what they do. I think Let's Encrypt did a good thing by ensuring more and more sites won't be subject to MITM attacks. I do miss the trust factor of the extended validation that was once popular, but I've realized over time that it was sustainable to being misused too, and I am happy to see that and encryption decoupled from each other. Let something else rise up and gain server and browser support.

      • In my view LE has a been a disaster for security.

        Is that because you didn't understand the scope of the DV certificate until someone actually proved you can meet 100% of the requirements without money changing hands? Seriously following money has rarely worked, when when it's worked the money involved has had to be in the millions and the effort involves months of federal agencies putting in serious legwork.

        No one who's little scam relies on LE's free certificate was ever at risk due to buying a certificate in the past.

    • I di not need to show any ID

      Of course not. You rarely need to show any ID for a DV certificate. What you did show through following their how to is that in the process of requesting the certificate you actually had control of the server. That's the only thing a DV certificate certifies.

  • but it's almost the worst way to achieve it.

  • This is the opposite of the problem. (Score:5, Interesting)

    by sg_oneill ( 159032 ) on Thursday June 06, 2019 @07:44AM (#58718188)

    The problem with DNS is that it isn't well regulated. The main .com namespace was overrun a decade ago by shitty companies mass registering every combination of words in the dictionary forcing companies to look to even less trusted name spaces like io, or using gibberish company names. Gablarble.io sort of junk. And if you forget to reregister, forget having a mad monday morning scramble to pay the bill, squatters own it and will ransom the name for sillly oney. This has to change

    The DNS registrars should have been insisting on proper company registrations and policing squatters and preventing third party reregistration for at least a few months. Blockchain cant solve this. Only good dnssec and legislation egislation can

    Certs are different. The problem is the resgistration cartels charging silly money. Lets Encrypt has gone some way to fix that, but even fixing the problem of stolen certs its still not clear how t tell if the legitimately signed site is, well legit. This should be replaced with a web of trust concept. Let Visa and Mastercard sign sites that process cards. Let the AMA or the Royal college of surgeon sign medical sites. Let the Govt sign govt sites. If I want to start my own network of sites, let me sign them

    And then the browser user can decide if they trust the banks, or the govt, or the doctors or if they trust me, or whatever. And if they dont trust them, then great, dont trust the site and present the browser owners some options on what to do next. No more cert cartels, and the people certifying sites are the people with the expertise in the area. Web of trust.

    • Wish I had mod points for you today.

  • the naming system itself can provide the guarantee that the site you're connected to is real

    No it can't, it can maybe guarantee others have vouched for your reality but as we see in politics, that doesn't mean much in regards something being a fact/reality.

    It's a permanent registration system so if I own BankofAmerica first, I can pretend to be BoA regardless of whether the rest of the world agrees with me unless you want a system where names can be arbitrarily removed and changed by some minority consensus

  • Blockchain based? (Score:4, Funny)

    by Parker Lewis ( 999165 ) on Thursday June 06, 2019 @07:58AM (#58718222)
    A DNS based in a blockchain implementation? You know what does it mean? We'll never see a real product!

  • Blockchain is a ledger it is not magic (Score:4, Interesting)

    by Mozai ( 3547 ) on Thursday June 06, 2019 @08:04AM (#58718238) Homepage

    > if one [cert authority] gets breached, and an attacker can start issuing fake certificates... But if website names are managed on a tamper-resistant blockchain...

    How is issuing unauthorized but valid certs any different than publishing unauthorized but valid blockchain events?

    and how much of the entire ledger does every participant have to keep on their workstation ? Just the tip? How much bandwidth will be consumed by my constant downloading of new blocks as people publish new updates? Blocks that hold records I will never, ever use in requests but I will need to validate sequential blocks that might have the answers I need. If I don't want to have a constant drain on my bandwidth, then I'm trusting someone else to hold the ledger for me, and I'm not significantly better-off than I was with DNS.

  • 51% attack (Score:3)

    by Tomahawk ( 1343 ) on Thursday June 06, 2019 @08:06AM (#58718240) Homepage

    This would still be vulnerable to the 51% attack.
    Could a widespread botnet take this over? Or a large country like China?

    Nothing on the Internet is 100% secure. If there are enough machines worldwide working on this blockchain then a 51% attack would be difficult to achieve. But it's a big ask.

    Also, do you really want your phone, laptop, and/or router working on this in order to keep it secure, and thus using up battery power and electricity?

  • the DNS system is all those things that the pseudo arguments of this solution in search of a problem pretends to do...

  • The summary is pure word salad. There might be something useful here but the summary does not motivate me to read it.

    The part about replacing certificates is especially amusing. One way or another, you need to have some authority certifying that such as such site is "valid". Magical blockchain fairy dust will not change that.

  • Not how a website "gets its name".

  • In other words, a DNS resolve will take somewhere between a couple hours to a couple days, but at least you can be sure that your provider will not block the latest ransomware trojan trying to resolve fuewfhwe34hjerkjasdfdaiofasd.cn.

  • A, the buzzword strikes again! (Score:3)

    by Miser ( 36591 ) on Thursday June 06, 2019 @09:12AM (#58718504)

    Blockchain! Synergy! Paradigm shift!

    What a load of horse shit.

    -Miser

  • If you require such a system, that forces some embedded electronics products to have an order of magnitude more resources (RAM, ROM, MHz). And, now that I think of it, this would "waste" more electricity on EVERY computing device, forever going forward, that would perform such a look-up. It's the same complaint I have about Google insisting that all websites (like weather forecasts?) be encrypted.
  • Lots of people come up with new ideas to replace SMTP, DNS, HTTP, etc. The bottom line is that if it requires everybody to move to a new system, it's DOA. It MUST be compatible with current DNS.
    • Well, there is already DNS over HTTPS whic is stealthily implemented in browsers. It has DNS behind it, but could potentially query any database.

      We have had to block it, as it breaks our internal blacklist.
  • It cannot work, unless the blockchain is supported by a support vector machine controlled by a multilevel neural network that navigates through a random forest of virtual machines, whose purpose is to fuel the multi-level marketing resellers who offer this crap^H^H^H^Hadvanced technologies to very competent investors.

  • ...and no-one can ever take it off me ...

  • I'm often amazed by what Slashdot story summaries choose to define and what they don't. Name for Linux distribution specific to tracking frogs? Everybody knows FTINUX. Fundamental internet protocol? Better define that one.

  • With the proliferation of TLDs, you can't be sure a domain name takes you to where you want to go. For instance, up until recently dicks.com [slashdot.org] took you to a porn site instead of a sporting goods store.

    Everyone already does a search on their favorite search engine, even if they are reasonably sure they know the domain name. This prevents typo-squatting and obscure urls from being a problem.

  • It's like no one remembers the problems (Score:3)

    by holophrastic ( 221104 ) on Thursday June 06, 2019 @10:15AM (#58718776)

    "Decentralized authorities" are one of those terms that people have forgotten a lot about. They used to be everywhere, and civilization determined them to be horrendously evil, and hence centralized systems emerged instead.

    Great, so you've covered DNS (which works just fine), and you've covered SSL Certificates (a system that's more broken than any I've ever encountered).

    Now, when an authorized site is suddenly determined to be run by criminals, how do we shut it down? How do we remove it from handshake? You have an answer? That's great!

    Now, how do we stop criminals from shutting down legitimate sites?

    Those two sides of the same problem are possibly the reason that centralized systems are necessary. It's a feedback loop that never ends.

    Now, criminals shut down a legitimate site, how do we bring it back?
    Oops, it actually wasn't legitimate, take it down again!
    Okay, they've paid the fine and fixed the problem, and it wasn't their fault to begin with, put it back up.

    A central authority makes all of that possible, and potentially very easy and very expedient. Tell me how your decentralized authority handles repeated challenges to legitimacy.

    It's the wild wild west all over again. That's why we took power away from sheriffs, and gave it to courtrooms.

    Handshake aims to become another reputation-based system suffering from yet another mob mentality.

    • Great, so you've covered DNS (which works just fine)

      DNS doesn't work "fine" at all. It's vulnerable to both technical and legal attacks, not to mention riddled with various kinds of exploitative squatters, and that's when the single point of failure that controls it all does its job correctly (which it does, but that could change tomorrow).

      and you've covered SSL Certificates (a system that's more broken than any I've ever encountered)

      The TLS certificate infrastructure is not badly broken. It has some weaknesses, but all in all it works fine. About on par with DNS, though the weaknesses are of different types. The choice of ASN.1 DER encoding for cert

      • DNS works fine because it's been running the entire internet for eons now. You can't argue with the kind of success that comes from every single connection ever always. And you certainly can't argue it with "that *could* change tomorrow".

        TLS certificates are incredibly broken. It costs me $40 for a certificate. Any credit card will be accepted. Zero proof of identity. The actual certificate provides absolutely nothing more than to stop browser warnings to my customer. It offers zero actual value to a

        • TLS certificates are incredibly broken. It costs me $40 for a certificate. Any credit card will be accepted. Zero proof of identity.

          Nonsense. (1) You can get a certificate for free (letsencrypt.org) and (2) the identity attested in the certificate -- namely, the domain name -- is proven. You have to prove that you have control of the DNS registry record, or (not quite as good, but okay) you have to prove that you have control of a server at the specified domain.

          So what that cert proves (to a sufficient, but not perfect level, as your examples point out) is that the domain name the user typed into their browser is the same as the dom

          • You are confusing SSL with the SSL certificate. SSL ensures that the data wasn't modified in-transit. Over and above that, the certificate does nothing more than to say that someone paid to purchase the certificate, for a domain that they paid to purchase. happyb1.com, happyb-1.com, and happy-b1.com, you go to it, it's secure. Tells you nothing. Gives you zero recourse when they steal your money.

            And I've done plenty of research and trials with let's encrypt. It's way more expensive than $40 once a year

  • So as a User I select which name translation method I want to use in the browser, for sites I visit, or some combination to potentially expose a problem to alert me to be cautious of a site or expose censorship. Two ways of checking viability of site if so determined need to?

  • one who controls 51% owns everything? how does it work with 1% owning 80% of assets?

  • If you want your own "ledger" there's nothing stopping you from keeping your own DNS list now.

  • The primary issues with DNS are ICANN and piss poor protocol design.

    Lets fix that not ignore all responsibility and mistake total anarchy for progress.

  • The DNS is already distributed. You can run your own server if you want, and you can even change slashdot.org to hellokitty.com on your own server if you want to. You can even make that public and tell people to point their DNS clients to your server. It just turns out that there's almost no demand for that, except maybe for the occasional hack just for grins and giggles. Having an alternative DNS that requires us to bring a new nuclear plant online for "the power of blockchains" should fail hard.

  • But if website names are managed on a tamper-resistant blockchain

    OK, if it is 'tamper-resistant', then how do you make changes and edits? If Bob wants to say bob.com is at 1.1.1.1, but Bobby ALSO wants to have bob.com point to 1.1.1.2... who is correct? Who controls this?

  • There is already DNS over HTTPS which is creating security issues.Do we need another protocol to create more?
    Also: With a lack of implementation of the available security meaures in DNS, the world is definitely not ready for the massive work needed for another name resolution protocol.
    As any new name resolution technology will need a fallback to classic DNS anyway, the adoption will be worse than IPv6.

Slashdot Top Deals

One man's constant is another man's variable. -- A.J. Perlis

Close