Since my original critique, DNSChain has moved to claiming that their client/server model does not rely on third party trust because they think that they can get Namecoin installed into home routers and personal PlugPCs which “everyone” will configure their clients to connect back to. This is infeasible and unnecessarily ties their security model to a regressive form of third party trust.
I’ve written a more-up-to-date technical overview of okTurtles, DNSChain, and Unblock.us. While the security model for DNSChain has improved, they are still misrepresenting the security parameters of their software.
I’m leaving this here because they are still selling PlugPCs as a valid solution to eliminating third party trust from their security model.
DNSChain is essentially a DNS server which reads data from the Namecoin blockchain. It is highly duplicative of NMControl (Namecoin’s chosen middleware) with the exception that it initially focused on a pure client/server model. Any client/server model introduces third party trust, seriously degrading the trustless nature of the Nakamoto blockchain and introducing MITM attacks.
We actually don’t have a problem adding this functionality to NMControl. The problem is that DNSChain’s lead developer is claiming that DNSChain doesn’t introduce third-party trust and is “MITM Proof.” Their rationale is that if someone isn’t capable of running their own server, a friend would run one for them. This is impossible to scale and is akin to claiming that everyone would run their own email server. They tried to dodge the fact that they effectively introduced third party trust by using the term “second-party trust.”
I wrote a blog piece and pushed DNSChain to use lightweight clients instead. The author came back with a new security model which is similarly difficult to scale and effectively introduces third party trust. This post analyzes their new security model.
Home Based Servers: Unnecessary and Infeasible
DNSChain’s lead author responded with a comment giving an update to their security model, excerpted below.
The vast majority (“99%” :-P) of families in Internet-connected countries own and run their own servers (which run DNS software like BIND, etc.), and they do so without realizing they are doing it.
This is nothing out of the ordinary, and it is the model we see working for DNSChain as well. This is what we mean by trusting themselves or a “first party”. The use of the word “friend” refers to an _interim period_ before DNSChain appears on home routers.
This “friends” terminology is weasel wording and it misrepresents their security model. That’s not okay, even if it’s not a permanent part of their plan.
This modified plan involves an infeasible and insecure scheme that turns every home router into a server and the anchor of our security systems. Everyone will have to buy a PlugPC or a router with Namecoin installed which their clients can connect back to. 10% of American’s don’t have a home internet connection and the third world will likely skip out on wired internet entirely. Even if we ignore the feasibility of this plan, DNSChain still offers no improvements to usability, inter-operability, or security over lightweight resolvers.
The Namecoin development team also has aspirations for lightweight resolvers to be bundled with browsers and operating systems. The difference is that users never have to configure a client to talk to a trusted server or any kind of maintenance, it will just work. DNSChain’s client/server model will always be more complex than the equivalent scenario for a lightweight resolver:
- Effort required to manually install a lightweight resolver < effort required to maintain a DNSChain server + install and setup client software.
- Effort required to use lightweight resolver bundled with browser/operating system < effort required to configure DNSChain client software to use router that bundles DNSChain.
Even if we ignore the fact that lightweight resolvers will always be easier to use than DNSChain’s client/server model, this modified plan would never scale outside of a single percentage point of the population. Turning routers into trusted servers sounds like something cooked up by a sys-admin who thinks s/he can make server maintenance “usable”, which won’t happen.
Practically speaking, routers are not like normal servers and they certainly cannot handle a full Namecoin node. Normal routers aren’t going to accommodate a full Namecoin node, so every existing router would need to be replaced. By asserting that routers will adopt DNSChain and run a full-node Namecoin install, Greg is not just asserting that router vendors will adopt their software but also add the processing and storage capacities of a small server. Even then, home users would have to regularly increase disk capacity since the Namecoin blockchain increases in size over time, thus DNSChain’s revised plan requires lightweight resolvers anyway.
The fact of the matter is that no one is going to operate a server from their home. Residential internet connections are flaky, I have to reset my modem and router several times a year. What happens when their connections fails while the user is not at home or when a roommate bogs down the connection with a torrent? Nor does everyone have a home with a stable internet connection: rural users rely on long-haul wifi or satellite links. Furthermore, the third-world is coming online using their mobile devices, and they often lack a home router. Setting up wifi passwords is a major challenge for many users, there is no way users are going to manage the complexities of maintaining this client/server model.
Furthermore, home routers are not the bedrock we should be anchoring our security too. The market ensures that consumer routers are produced as cheaply as possible and they are rarely ever updated. Even commercial grade routers are prime targets for the NSA’s efforts to recover VPN keys. DNSChain is assuming that router manufacturers are going to start producing rock-solid routers that requires zero maintenance.
Finally, anyone without a home internet connection will need to trust someone else. The problem with DNSChain’s modified plan is that it operates under the assumption that the next generation netizens will look like the last generation. But that’s not the case, time spent on mobile internet devices has already eclipsed that of desktops. The third world is leapfrogging traditional land-line phones and going straight to cell phones, and they will likely leapfrog the first world by coming online through smartphones. Finally, some really people figured out how to take the noise out of Shannon’s information channel theorem, which means that wireless internet is about to get reall, really fast. So, even with magical routers and and 100% uptake amongst those with residential internet connections, the majority of the worlds population will need to trust someone else.
Lightweight resolvers always beat out DNSChain’s client/server model, even if the server part is magically taken care of by bundling DNSChain with home routers. That magic also requires making residential internet connections and routers rock solid, which won’t happen in a market dictated by prices. Lightweight clients are part of the magic requires to load Namecoin on routers would require, so DNSChain requires lightweight resolvers anyway. And, finally, even with all that magic, DNSChain would still render vast swaths of the population dependent upon the worst kind of third party trust.
FWIW, in a follow-up discussion on IRC, Greg was open to lightweight resolvers but skeptical of their feasibility. The problem is that building a bullet proof router and getting everyone to buy one or convincing router manufacturers to increase their build cost are two scenarios that are a few orders-of-magnitude more difficult than building advanced lightweight resolvers. I’d be happy to welcome Greg in if he wants to join us, but DNSChain is just diverting resources from projects and people who are proposing real solutions to these problems. Even then, he’s got to prove himself capable of building something that can actually work.
It’s tough to knife one’s own baby, I’m having to do that to some extent with Speech.is: the legal assumptions under which I created it two years ago just doesn’t hold up anymore and the additional effort isn’t worth it. Creating a DNS suffix with threshold DNSSEC is a better zero-install/zero-config alternative. Namecoin devs are still skeptical but that’s what BitShares wants me to help them accomplish with .p2p. But it’s just a pivot, our early plans are rarely wholly correct.