I'll start with their "vs. Convergence" since I was pretty enthusiastic when I read up on how it works. The okTurtles/DNSChain authors don't seem to understand how Convergence works at all (we'll it's either that or they do understand it but are maliciously misrepresenting it). They make ridiculous statements like " It depends on group consensus, but the group might not be very bright. What happens then?" lies like " It also does not provide MITM protection on first-visit" then say " all of the notary info appears to be stored locally to the computer, or even the browser. That is rather inconvenient for most users" glossing over how that's pretty much the same as how they handle what DNSChain server you trust. Likewise their " the website claims that it’s simple to use, which we have to disagree with because users are asked to manage a list of notaries." statement (besides making trusting notaries sound harder than it is) skips the part where DNSChain recommends that everyone run their own DNSChain daemon or at least maintain a reference to a public DNSChain service which is basically the same as a reference to a Convergence notary.
For a bit of reference the basic idea of Convergence they're calling "group consensus" is this: You have a list of notaries you trust. We'll call them say W, X, Y, and Z. When you visit a new website over HTTPS you get a SSL certificate from them and you need to know if you can trust it. To figure this out you talk to all your notaries and ask them if you can trust this certificate. Each of your notaries looks up the site and tells you what certificate they see. If all or most of them say they see the same certificate then it's safe. Each of these notaries would be run by different organizations in different locations, they can be in different countries under different governments, and you can include ones for different organizations you trust (you could include Mozilla and EFF if they ran notaries). The basic idea is that in order to compromise your connection the MITM compromising your connection would have to collude with or intercept all outgoing traffic for nearly all of these notaries you trust.
((You could even run notaries which instead of looking at certificates themselves used some other method – DNSSEC, Pinning, EFF's SSL Observatory – to test a certificate))j
The best explanation of Convergence is probably this video: https://www.youtube.com/watch?v=Z7Wl2FW2TcA
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]
On 2014-04-29, 10:41 PM, James Salsman wrote:
Would someone please review this DNS proposal for secure HTTPS?
https://github.com/okTurtles/dnschain http://okturtles.com/other/dnschain_okturtles_overview.pdf http://okturtles.com/
It is new but it appears to be the most correct secure DNS solution for HTTPS security at present. Thank you.
Best regards, James Salsman _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l