Compare commits

..

No commits in common. "648b9dedc5a4c94b566b9981998ef91312395526" and "7085455364ba186fe514a1b46ff64f09e7e724d4" have entirely different histories.

View File

@ -2,7 +2,7 @@
title: Resolving Handshake Domains title: Resolving Handshake Domains
description: description:
published: 1 published: 1
date: 2024-06-19T11:45:11.714Z date: 2024-02-09T05:50:52.713Z
tags: tags:
editor: markdown editor: markdown
dateCreated: 2024-02-09T05:50:52.713Z dateCreated: 2024-02-09T05:50:52.713Z
@ -21,8 +21,8 @@ There are many methods to visit HNS websites on your computer and there are trad
### hsd full node + letsdane proxy ### hsd full node + letsdane proxy
[HSD](https://github.com/handshake-org/hsd) [hsd](https://github.com/handshake-org/hsd)
[LetsDANE](https://github.com/buffrr/letsdane) [letsdane](https://github.com/buffrr/letsdane)
> Security: HIGH > Security: HIGH
> Privacy: HIGH > Privacy: HIGH
@ -31,14 +31,14 @@ There are many methods to visit HNS websites on your computer and there are trad
> Complexity: HIGH > Complexity: HIGH
{.is-info} {.is-info}
HSD is the most bullet-proof piece of Handshake software available. It verifies every single transaction and every single block against every single protocol rule we have. It has the best security practices and the best privacy. It does complete recursive domain name resolution from the HNS root zone all the way down. letsdane is the best tool available for verifying DANE and establishing HTTPS connections to websites hosted on Handshake domains. It checks all DNSSEC records served by hsd and checks the certificate offered by the web server. Every cryptographic signature is verified. If a user installs both of these on the computer they are browsing from, there is very little surface for attack: your browsing history remains private and all data transmitted and received is private and secure. hsd is the most bullet-proof piece of Handshake software available. It verifies every single transaction and every single block against every single protocol rule we have. It has the best security practices and the best privacy. It does complete recursive domain name resolution from the HNS root zone all the way down. letsdane is the best tool available for verifying DANE and establishing HTTPS connections to websites hosted on Handshake domains. It checks all DNSSEC records served by hsd and checks the certificate offered by the web server. Every cryptographic signature is verified. If a user installs both of these on the computer they are browsing from, there is very little surface for attack: your browsing history remains private and all data transmitted and received is private and secure.
### hsd SPV node / hnsd light client + letsdane proxy (Fingertip) ### hsd SPV node / hnsd light client + letsdane proxy (Fingertip)
[Fingertip](https://impervious.com/fingertip) [Fingertip](https://impervious.com/fingertip)
[HSD](https://github.com/handshake-org/hsd) [hsd](https://github.com/handshake-org/hsd)
[HNSD](https://github.com/handshake-org/hnsd) [hnsd](https://github.com/handshake-org/hnsd)
[LetsDANE](https://github.com/buffrr/letsdane) [letsdane](https://github.com/buffrr/letsdane)
> Security: HIGH > Security: HIGH
> Privacy: MEDIUM > Privacy: MEDIUM
@ -64,8 +64,8 @@ There are available guides for [connecting Fingertip to Firefox](https://gist.gi
Beacon is a web browser that works a lot like Fingertip but is self-contained. It is convenient since it requires no setup, but inconvenient since it requires a user to abandon their current default browser. The technical mechanism is similar to Fingertip but Beacon does not do recursive name resolution, meaning it relies on external DNS-over-HTTPS servers. It leaks domain names to those servers, but still verifies all data using the blockchain data it keeps internally from hnsd. If Chrome / Safari / Brave / Opera ever adopt Handshake in a meaningful way, this method will probably be the best we can hope for. Beacon is a web browser that works a lot like Fingertip but is self-contained. It is convenient since it requires no setup, but inconvenient since it requires a user to abandon their current default browser. The technical mechanism is similar to Fingertip but Beacon does not do recursive name resolution, meaning it relies on external DNS-over-HTTPS servers. It leaks domain names to those servers, but still verifies all data using the blockchain data it keeps internally from hnsd. If Chrome / Safari / Brave / Opera ever adopt Handshake in a meaningful way, this method will probably be the best we can hope for.
### Internal HNS resolver: hsd or hnsd without letsdane proxy ### Internal HNS resolver: hsd or hnsd without letsdane proxy
[HSD](https://github.com/handshake-org/hsd) [hsd](https://github.com/handshake-org/hsd)
[HNSD](https://github.com/handshake-org/hnsd) [hnsd](https://github.com/handshake-org/hnsd)
> Security: LOW > Security: LOW
> Privacy: HIGH (hsd) / MEDIUM (hnsd) > Privacy: HIGH (hsd) / MEDIUM (hnsd)
@ -78,13 +78,11 @@ Beacon is a web browser that works a lot like Fingertip but is self-contained. I
A user can install their own HNS resolver but neglect to install the DANE verifying software. This user will be able to browse to websites hosted on HNS domain names BUT NEVER SECURELY. This user can not establish an HTTPS connection but can still "see" HNS websites, assuming the web server allows HTTP connections without requiring or enforcing security. A user can even run hsd on a server and connect to it remotely. This is technically an external resolver and will require additional security (SIG0) to ensure that the received data is authentic. A user can install their own HNS resolver but neglect to install the DANE verifying software. This user will be able to browse to websites hosted on HNS domain names BUT NEVER SECURELY. This user can not establish an HTTPS connection but can still "see" HNS websites, assuming the web server allows HTTP connections without requiring or enforcing security. A user can even run hsd on a server and connect to it remotely. This is technically an external resolver and will require additional security (SIG0) to ensure that the received data is authentic.
### External HNS resolver like HNSDoh, HDNS, NextDNS ### External HNS resolver like hdns.io, NextDNS, resolvr, HandshakeNames
[HNSDoH](https://welcome.hnsdoh.com)
[hdns.io](https://hdns.io) [hdns.io](https://hdns.io)
[NextDNS](https://nextdns.io/) [NextDNS](https://nextdns.io/)
[resolvr](https://resolvr.info/) [resolvr](https://resolvr.info/)
[HandshakeNames](https://handshakenames.com/dns-resolver) [HandshakeNames](https://handshakenames.com/dns-resolver)
[Bob Wallet Chrome Extension](https://bobwallet.io/)
> Security: LOW > Security: LOW
> Privacy: LOW > Privacy: LOW
@ -93,22 +91,19 @@ A user can install their own HNS resolver but neglect to install the DANE verify
> Complexity: LOW > Complexity: LOW
{.is-info} {.is-info}
Access Handshake domains by getting DNS records from a public resolver. The most important thing to know about this method is that SOMEONE ELSE IS VERIFYING THE BLOCKCHAIN, NOT YOU. Since the blockchain is the root of all "trust" in this system, you are outsourcing absolutely everything including security and privacy. It may be possible to run a letsdane proxy in addition to these resolvers and establish a secure HTTPS connection between your browser and the web server. However, since the blockchain data is being served to you from some untrusted source we can not classify this method as truly secure. This is currently how Brave actually resolves "decentralized domain names" such as Unstoppable Domains and Ethereum Name Service. [Bob Wallet Chrome Extension](https://bobwallet.io/) is another example of this method. The most important thing to know about this method is that SOMEONE ELSE IS VERIFYING THE BLOCKCHAIN, NOT YOU. Since the blockchain is the root of all "trust" in this system, you are outsourcing absolutely everything including security and privacy. It may be possible to run a letsdane proxy in addition to these resolvers and establish a secure HTTPS connection between your browser and the web server. However, since the blockchain data is being served to you from some untrusted source we can not classify this method as truly secure. This is currently how Brave actually resolves "decentralized domain names" such as Unstoppable Domains and Ethereum Name Service.
### External proxy like hns.to ### External proxy like hns.to
[hns.to](https://hns.to) [hns.to](https://hns.to)
> Security: EXTREMELY LOW > Security: LOW
> Privacy: LOW > Privacy: LOW
> Decentralization: LOW > Decentralization: LOW
> Convenience: EXTREMELY HIGH > Convenience: EXTREMELY HIGH
> Complexity: LOW > Complexity: LOW
{.is-info} {.is-info}
Users are presented with an illusion that they can "see" websites hosted on HNS domains but really they are looking at a website hosted on legacy ICANN domain name. If there is any HTTPS security offered at all it is anchored in legacy certificate authority. The server knows the entire URL you are looking up and knows all data you send and receive to the web server. The proxy CAN ALTER DATA you send or receive to the web server, including links. This is currently how Puma browser resolves Handshake domains. This is marked as extremely low security as the proxy can view and edit any traffic. Users are presented with an illusion that they can "see" websites hosted on HNS domains but really they are looking at a website hosted on legacy ICANN domain name. If there is any HTTPS security offered at all it is anchored in legacy certificate authority. The server knows the entire URL you are looking up and knows all data you send and receive to the web server. The proxy CAN ALTER DATA you send or receive to the web server, including links. This is currently how Puma browser resolves Handshake domains.
> NEVER USE A PROXY TO ENTER PASSWORDS OR SENSITIVE INFO.
{ .is-warning }
## Features and Rankings ## Features and Rankings
@ -116,7 +111,7 @@ Users are presented with an illusion that they can "see" websites hosted on HNS
Can you trust the authenticity of the content you see in the browser? Can you enter private, personal or sensitive data into a website? Most browsers offer a "lock" icon in the URL bar when an HTTPS connection is established, meaning the answer to both these questions is "yes". Eavesdropping on your connection is impossible and altering data to and from both you and the web server is impossible. It's important to remember that HTTPS requires proper configuration by the website and domain name owners as well. Just because you have set up the proper tools on your computer does not mean every website is secure. Can you trust the authenticity of the content you see in the browser? Can you enter private, personal or sensitive data into a website? Most browsers offer a "lock" icon in the URL bar when an HTTPS connection is established, meaning the answer to both these questions is "yes". Eavesdropping on your connection is impossible and altering data to and from both you and the web server is impossible. It's important to remember that HTTPS requires proper configuration by the website and domain name owners as well. Just because you have set up the proper tools on your computer does not mean every website is secure.
- **HIGH**: Secure HTTPS is available. Domain name has been cryptographically verified and web server identity has been cryptographically identified. - **HIGH**: Secure HTTPS is available. Domain name has been cryptographically verified and web server identity has been cryptographically identified.
- **LOW**: Secure HTTPS is not available. The chain of cryptographic verification is broken. Do not trust this content. Do not enter personal data into this website. - **LOW**: Secure HTTPS is not available. The chain of cryptographic verification is broken. Do not trust this content. Do not enter personal data into this website.
### Privacy ### Privacy
Do any other entities (besides your browser and the web server) know what websites you are visiting? Do any other entities (besides your browser and the web server) know what websites you are visiting?