handypedia/enable_https_on_handshake_domains.md

3.4 KiB

title description published date tags editor dateCreated
Enable HTTPS on Handshake domains 1 2024-02-09T03:56:21.216Z technical markdown 2024-02-09T03:55:04.774Z

Enable HTTPS on Handshake domains

DNS-based Authentication of Named Entities (DANE) is an Internet Security protocol to allow X.509 digital certificates, commonly used for Transport Layer Security (TLS), to be bound to domain names using Domain Name System Security Extensions (DNSSEC). TLS/SSL encryption is currently based on certificates issued by certificate authorities (CAs). Within the last few years, a number of CA providers suffered serious security breaches, allowing the issuance of certificates for well-known domains to those who don't own those domains. Trusting a large number of CAs might be a problem because any breached CA could issue a certificate for any domain name. DANE enables the administrator of a domain name to certify the keys used in that domain's TLS clients or servers by storing them in the Domain Name System (DNS). DANE needs the DNS records to be signed with DNSSEC for its security model to work. Additionally, DANE allows a domain owner to specify which CA is allowed to issue certificates for a particular resource, which solves the problem of any CA being able to issue certificates for any domain. (Source: Wikipedia)

External Guides

There are many ways of enabling HTTPS on your site with DANE depending on your technical aptitude.

Beginners can try Handout, a combination webserver and nameserver with a single-command configuration script:

These are more technical and detailed methods for advanced developers:

To create a self-signed SSL cert and compute its TLSA record (for developers already running a nameserver and webserver):

Configuring a secure webserver for both ICANN and HNS simultaneously

Additional Guides on Creating Handshake Websites

These methods may not enforce https/DANE, and may have other security or centralization issues.

Accessing Handshake Domains Securely

See Resolving Handshake Domains

Testing Tools for Handshake SSL