I'll start with their "vs. Convergence" since I was pretty enthusiastic
when I read up on how it works.
The okTurtles/DNSChain authors don't seem to understand how Convergence
works at all (we'll it's either that or they do understand it but are
maliciously misrepresenting it).
They make ridiculous statements like " It depends on group consensus,
but the group might not be very bright. What happens then?" lies like "
It also does not provide MITM protection on first-visit" then say " all
of the notary info appears to be stored locally to the computer, or even
the browser. That is rather inconvenient for most users" glossing over
how that's pretty much the same as how they handle what DNSChain server
you trust. Likewise their " the website claims that it’s simple to use,
which we have to disagree with because users are asked to manage a list
of notaries." statement (besides making trusting notaries sound harder
than it is) skips the part where DNSChain recommends that everyone run
their own DNSChain daemon or at least maintain a reference to a public
DNSChain service which is basically the same as a reference to a
Convergence notary.
For a bit of reference the basic idea of Convergence they're calling
"group consensus" is this:
You have a list of notaries you trust. We'll call them say W, X, Y, and Z.
When you visit a new website over HTTPS you get a SSL certificate from
them and you need to know if you can trust it.
To figure this out you talk to all your notaries and ask them if you can
trust this certificate.
Each of your notaries looks up the site and tells you what certificate
they see.
If all or most of them say they see the same certificate then it's safe.
Each of these notaries would be run by different organizations in
different locations, they can be in different countries under different
governments, and you can include ones for different organizations you
trust (you could include Mozilla and EFF if they ran notaries).
The basic idea is that in order to compromise your connection the MITM
compromising your connection would have to collude with or intercept all
outgoing traffic for nearly all of these notaries you trust.
((You could even run notaries which instead of looking at certificates
themselves used some other method – DNSSEC, Pinning, EFF's SSL
Observatory – to test a certificate))j
The best explanation of Convergence is probably this video:
https://www.youtube.com/watch?v=Z7Wl2FW2TcA
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://danielfriesen.name/]
On 2014-04-29, 10:41 PM, James Salsman wrote:
Would someone please review this DNS proposal for
secure HTTPS?
https://github.com/okTurtles/dnschain
http://okturtles.com/other/dnschain_okturtles_overview.pdf
http://okturtles.com/
It is new but it appears to be the most correct secure DNS solution for
HTTPS security at present. Thank you.
Best regards,
James Salsman
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l