This week Google learned of another batch of fraudulently issued certificates for several of their domains. At the end of the post they made a renewed call for Certificate Transparency. In this post, we’ll use the acronym CT to refer to Google’s implementation of the general concept of certificate transparency, and we’ll explore other technologies that also provide it. Continue reading
DNSChain 0.5 brings about many new features.
It’s important to remember, however, that this project is not really about new bells and whistles. It’s about what kind of a world we want to live in, and for us the answer is clear: we want to live in a free world, and that means addressing these problems:
- The Internet has been turned into a weapon for surveillance, and this has led to mass self-censorship.
- The Internet is being used as a battleground to wage “cyber war”. Much of our infrastructure relies on TLS to protect us, but its protection is undermined by X.509, a system that forces everyone online to trust the bad apple.
- Websites rely on TLS/HTTPS to protect them, but it does a very poor job. Even worse, it’s common practice for websites to pay for this “non-protection” (although, thanks to StartSSL and Let’s Encrypt, it’s no longer mandatory to pay).
Update: March 25, 2015, see also: Certificate transparency on blockchains
Ben Laurie, project lead for Google’s Certificate Transparency (CT), recently published an article wherein he compared CT against various efforts to secure Internet communication world-wide from Man-In-The-Middle Attacks (MITM), including DNSChain.
In it, he made several claims about CT and related topics:
- That CT leads to a situation where “It becomes impossible to misissue a certificate without detection”
- That no one has come up with a way to “effectively revoke self-signed certificates”
- That CT is a “Generally applicable” system where “No one is special” and where everyone “[is] able to participate”
- That CT doesn’t introduce trusted third-parties
- That CT doesn’t push decisions onto the end user
- That DNSChain wastes energy and “has no mechanism for verification”
It does not help the slightest that Google continues to make these—in our opinion, inaccurate—claims about CT in its official documentation (and elsewhere), in spite of being informed about their inaccuracies.
And yet, decisions that impact the security of the entire Internet are being made based on these statements. We (the Internet community) need more eyeballs and brains on this.
In this post, I will:
- Give a summary of what Certificate Transparency is
- Explain why Certificate Transparency does not live up to its name
- Respond to Laurie’s criticism of DNSChain, Bitcoin, and blockchain systems in general
Oh boy! Lots of news to share about okTurtles and DNSChain in the upcoming days:
- These projects are now officially under the stewardship of a new non-profit organization called the okTurtles Foundation (more on this coming soon).
- We’re going to be moving the site from okturtles.com ➜ okturtles.org
- We gave a very successful demo at SOUPS 2014’s EFF CUP workshop (see the video below!)
- Simon Grondin of Unblock.us.org is joining our team to bring awesome new anti-censorship features to DNSChain.
- Development on the okTurtles browser extension is ongoing!
- We’re looking forward to working with many of the wonderful people we met at the SOUPS 2014 conference! So many awesome folks in attendance! 😀
We envision a future were owning and administering your own personal server is simple and commonplace. This vision naturally arises as more and more people begin to use and advocate distributed and decentralized technologies like Bitcoin and our very own DNSChain. Instead of learning to drive, they’ll learn to administrate a server. 🙂
So, along a similar vein of our previous tutorial for How to update OpenSSL on Debian testing (Jessie) for #Heartbleed, today we’ll show you how to downgrade a Linux kernel so that you can get the patch for the recent deadly-dangerous privilege-escalation vulnerability CVE-2014-3153 if you’re running on a non-stable distribution (or are running one of the latest kernels). Continue reading
April 8, 2014 6PM EST: Looks like for this one the Debian team moved faster than their typical “minimum two-day migration” and got the fix into testing a couple of minutes ago. Good job! You can completely ignore this blog post now! I’ll leave it up in case it’s still a helpful illustration of how to get security fixes for testing when they’re not yet available. Continue reading
We’ve taken several important steps on the road to making “MITM-proof communication” on your favorite websites possible.
- We released the first version of DNSChain, the blockchain-based DNS resolver (fully compatible with canonical DNS).
- We launched the first public DNSChain server. Its 600 lines of CoffeeScript have been running flawlessly since February 6th.
- We launched the okTurtles forums and #dnschain IRC channel.
DNSChain is the first server to support the *.DNS metaTLD (see below for a detailed explanation of metaTLDs). Continue reading
Nothing much to see here yet. Check back later!