Response for okturtles.bit, used in documentation example, seems erroneous

[lazaroclapp]

In the "How do I use DNSChain?" documentation (https://github.com/okTurtles/dnschain/blob/master/docs/How-do-I-use-it.md), it suggests the example query https://api.dnschain.net/v1/namecoin/key/d%2Fokturtles . Which looks like a stale record.

The issue is that this query currently returns IP address 192.184.93.146 and the following TLS field:

"tls":{"sha1":["5F:8B:74:78:4F:55:27:19:DC:53:6B:9B:C8:99:CD:91:8A:57:DD:07"],"enforce":"*"}}

Unfortunately, 192.184.93.146 responds with 301 and redirects to https://forums.okturtles.com/ which has a "valid" https certificate which doesn't match the above fingerprint (CA is StarCom, sha1 is 62:2C:78:00:5F:B2:B4:7C:90:9D:53:E7:00:3C:C3:EC:B1:D6:71:04). Unless I am missing something about how .bit domains should be used (which is entirely possible, I haven't played with namecoin before), this means the record for d/okturtles needs to be updated.

Well, either that or I am being MiTM for either https://api.dnschain.net or 192.184.93.146 ;)

[taoeffect]

Yeah, you're right, it's quite stale, sorry about that.

The problem is that actually verifying .bit domains over HTTPS (properly) hasn't been implemented yet. The closest thing to that is the FreeSpeechMe firefox extension by @JeremyRand, but it requires clients to run Namecoin locally.

Getting that right is the next, and probably "final" step.

If you'd like to help move us there faster, let me know. :)

As far as the correct fingerprint goes, https://api.dnschain.net/v1/resolver/fingerprint should return the correct fingerprint for that particular service (not the same as what's used for okturtles.com).

It should currently be:

5C:BC:2A:C4:21:99:80:2D:90:85:78:81:23:38:AD:E3:A9:21:16:0B:C2:8D:31:44:32:30:83:53:37:76:E1:1A

[taoeffect]

Also, since we use StartSSL for our certs on okTurtles.com, we use a unique one for each subdomain (as they do not offer free wildcard certs). So maintaining all that info in the blockchain, especially when it won't be used by 99.9% of people (yet), is something I've decided not to focus on (for now).

The good news though is that if you see a cert issued by StartSSL, you're probably not being MITM'ed.

[JeremyRand]

@taoeffect The primary issue with the FreeSpeechMe implementation isn't that it requires a local namecoind (that's fixable by implementing a light client that implements the namecoind API), but rather that it doesn't work on most recent releases of Firefox. There are varying opinions on how easily this is fixable, and what the best way to fix it is -- my take on this has varied over the past 6 months since Mozilla started breaking our stuff. No time estimate yet on when a fix might be ready. (I'm unhappy about this, if it isn't obvious.)

[taoeffect]

The primary issue with the FreeSpeechMe implementation isn't that it requires a local namecoind (that's fixable by implementing a light client that implements the namecoind API), but rather that it doesn't work on most recent releases of Firefox

I was just referring to the fact that FSM currently requires a local namecoind because there are no thin clients.

[JeremyRand]

Gotcha -- yes, that is currently somewhat of a usability issue with it, no argument there.

[lazaroclapp]

Hey, thanks for the super quick replies! Just wasn't sure if this was an issue you needed to be aware of or not, I don't really need to verify okturtles.bit with any real amount of urgency.

If you'd like to help move us there faster, let me know. :)

Actually, I was just browsing the code to get an idea of whether I could help out somewhere. Not really familiar with coffeescript, though, but I can probably pick it up. I'll probably just try to build it and run the tests in my machine tomorrow.

Any "start here" bugs/enhancements that you have lying around? (although keep in mind I can't guarantee I'll really have the time to do much, so if this demands a non-trivial amount of your time, don't let me slow you down ;) ).

[taoeffect]

Any "start here" bugs/enhancements that you have lying around? (although keep in mind I can't guarantee I'll really have the time to do much, so if this demands a non-trivial amount of your time, don't let me slow you down ;) ).

There's the list of issues, but I recommend first playing around with DNSChain and using it to do something that you need. That should show the way.

Or, if you just want something to work on, there's updating pydnschain for 0.5 (with cert-pinning), and/or creating a library in another language.