DNSChain is still pushing third party trust as being equivalent to lightweight resolvers.
This article was meant as an overview of DNSChain, but it had a lot of drama. I’ve written a more-up-to-date technical overview of okTurtles, DNSChain, and Unblock.us. While the security model for DNSChain has improved, they are still misrepresenting the security parameters of their software.
Originally, DNSChain was a pure client/server solution – every client would connect to a server with a full node Namecoin install with DNSChain acting as the middleware and DNS server. Slepak (DNSChain’s lead developer) claimed that DNSChain did not require third party trust because everyone would have “friends” who would run servers on behalf of the user (which he called “second party trust”). Since 99% of the population would rely on someone else to run a server for them, this effectively broke the MITM protection offered by Namecoin, despite DNChain’s claim of being “MITM-proof.” The Namecoin development team pointed out that this is unnecessary, as lightweight resolvers only require a few megabytes to operate locally. Later I debunked his claims regarding 3rd party trust and knocked the original scheme down as insecure and infeasible. Slepak then started pushing the notion that everyone would have home router as their trusted server. I knocked this updated scheme down as infeasible (10% of American’s don’t even have a home internet connection) and showed that it would loop router manufacturers into the trust base. And, again, it is totally unnecessary given that lightweight resolvers require less than 100 megabytes of local storage. DNSChain then added two features: checking multiple DNSChain servers and public key pinning1 (Proof-of-Transition). Slepak now claims that this is “at least as good as” lightweight resolvers. This is simply not true and demonstrates a basic ignorance of lightweight technology. Astute readers will have noticed that DNSChain has simply reinvented all of the hacks used to improve third party trust. Marlin Moxiespike was a pioneer in building systems similar to what DNSChain is proposing, such as Convergence and Tack. However, neither of Moxiespike’s projects claim to be “MITM-proof” and it’s difficult to understand how DNSChain can claim security benefits beyond what is already offered by these projects. I have every reason to try and suck up to Slepak, he might have funding some funding soon and he dangled the possibility of funding Namecoin projects directly. But honest and accurate marketing of the security parameters of their software is a prerequisite for any endorsement. So I dug into okTurtles, Unblock.us.org (related projects) and checked out their website. I pointed security flaws with okTurtles and problems with their marketing over email, such as the claim that DNSChain “fixes” HTTPS. Slepak deflected this latter criticism and said that the fully qualified claim was excessive. Slepak regularly uses this “it’s just marketing” excuse and generally doesn’t care that the plain reading of their claims don’t match up to reality. I agree with what Tor developer Jacob Appelbaum said of a similarly misleading claims made by Ultrasurf,
… but it is super dangerous to make that claim and we would prefer to be very conservative so that when people use the system we know what they think they’re getting, honestly and truly. That is absolutely the only way we think we will be able to ethically do this kind of thing and so it’s really important if you build or work on these systems to understand it is way better to over deliver and under promise. Because when you make a mistake or when something goes wrong, real people’s lives are really on on the line and we don’t want to mislead them. Even if we ignore all of the security problems and their problematic behavior, DNSChain is a waste of developer time and funding. DNSChain itself is entirely duplicative of NMControl and should have just been written as a plugin for NMControl. We also need funding for lightweight clients and Namecoin core, which is the software from which DNSChain derives all of its security claims from. Namecoin core needs at least one full-time engineer to make the fundamental changes needed for it to go mainstream, such as increasing domain pricing and setting renewal periods to fixed time intervals. We also need developers for the lightweight client and revamping the build system, this amounts to at least $150,000 in funding. Our estimated need for NMControl (which DNSChain essentially duplicates) is 1/10 of what we need for core engineering. DNSChain has a track record for poor security engineering, misleading marketing, it duplicates NMControl’s functionality.
In that as long as the server doesn’t lie the first time around, future lookups are safe. ↩