Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[IPFS] Secure connection status in browsers via DNSSEC validation #13706

Closed
RubenKelevra opened this issue Jan 21, 2021 · 1 comment
Closed

[IPFS] Secure connection status in browsers via DNSSEC validation #13706

RubenKelevra opened this issue Jan 21, 2021 · 1 comment
Labels
closed/invalid feature/web3/ipfs OS/Desktop security

Comments

@RubenKelevra
Copy link

RubenKelevra commented Jan 21, 2021
edited
Loading

Is your feature request related to a problem? Please describe.

We currently show that any content loaded via DNSLink is insecure - which is true.

Screenshot_20210121_071201

Describe the solution you'd like

It would be nice if we could check the DNSSEC signature for the DNSLink entry to make sure we load the right content before using it to load anything via IPFS.

When there's a DNSSEC signature and it's been verified we should inform the browser that the context is now secure - as we have verified that this is indeed the right content for the domain.

Alternatives

If we use plain text DNS requests and don't do any signature verification OR the domain has no DNSSEC information stored, we don't have any security for the content similar to a page that gets loaded over HTTP.

It would be nice if we could do at least secure DNS requests for any DNSLink request until DNSSEC validation has been added. But I think it's worth a discussion if we should upgrade the context to secure in the browser for this case. Maybe we could configure two endpoints for secure DNS requests and if both agree we upgrade the context - while showing that this verification was only done by secure DNS requests, not by validating the DNSSEC signature.

Brave version (brave://version info)

Brave: 1.19.86 Chromium: 88.0.4324.96 (Official Build) unknown (64-bit)
Revision: 68dba2d8a0b149a1d3afac56fa74648032bcf46b-refs/branch-heads/4324@{# 1784}
OS: Linux

Moved from ipfs/ipfs-companion#970

CC: @lidel
This was referenced Jan 22, 2021
Closed
Open
@lidel
Copy link

lidel commented Mar 23, 2021
edited
Loading

The popup is being redesigned in #14889, so the only remaining topic here is DNSSEC, which is not a required part of DNSlink spec (because it relies on ICANN and centralized PKI, which creates a false sense of security for some use cases). If IPFS hardens DNSLink, it won't be via PKI, but we will sign /ipns/ content paths in DNSLink records using libp2p-key of publishing node (just an example, details tbd).

I think this issue can be closed.
If Brave plans to support DNSSEC check on regular web in the future and display some checkbox/indicator it will be trivial to add support the same for ipns://{fqdn} URIs.

@bbondy bbondy closed this as completed Apr 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
closed/invalid feature/web3/ipfs OS/Desktop security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lidel @diracdeltas @RubenKelevra @bbondy