TLS Positive Overrides

Firefox for GNU/Linux can be used with Namecoin for TLS positive overrides; this allows certificates for .bit domains that match the blockchain to be used without errors. Instructions:

  1. Find your Firefox profile folder; it will usually be a subfolder of $HOME/.mozilla/firefox. For example, $HOME/.mozilla/firefox/r3a8ono6.default.
  2. Make sure that your Firefox profile folder is readable and writeable by the user who is running ncdns.

  3. Add the following to ncdns.conf, substituting your Firefox profile folder for $PROFILEDIR:

    [tlsoverridefirefox]
sync=true
profiledir="$PROFILEDIR"
  4. Restart ncdns.

TLS positive overrides will only be synchronized to Firefox while Firefox is not running; this means that, every so often, you should close Firefox for a few minutes and then re-open it.

You can now visit in Firefox a .bit website that supports TLS, e.g. the Namecoin forum’s .bit domain. The website should load in Firefox without errors.

TLS Negative Overrides

Firefox for GNU/Linux can be used with Namecoin for TLS negative overrides; this prevents malicious or compromised public CA’s from issuing certificates for .bit domains. Instructions:

Important warning for users of TLS intercepting proxies: these instructions will probably cause your intercepting proxy to produce an HPKP error for HTTPS websites that use HPKP. Right now, Namecoin TLS negative overrides for Firefox are not compatible with TLS intercepting proxies that try to intercept HPKP-enabled websites. If you haven’t deliberately installed a TLS intercepting proxy, or if you don’t know what a TLS intercepting proxy is, you can probably ignore this warning.

Note: Installing Namecoin TLS negative overrides for Firefox might cause previously-unnoticed attacks against you, e.g. from malicious surveillance infrastructure, to produce visible errors (even if those attacks are trying to intercept non-Namecoin connections).

  1. Go to about:config in Firefox.
  2. Search for security.cert_pinning.enforcement_level.
  3. Double-click the security.cert_pinning.enforcement_level preference.
  4. Enter 2 and click OK.
  5. Search for security.cert_pinning.process_headers_from_non_builtin_roots.
  6. Double-click the security.cert_pinning.process_headers_from_non_builtin_roots preference until the Value column says true.
  7. Close the about:config tab in Firefox.
  8. Restart Firefox.
  9. Create a temporary directory; make sure that it only is readable/writeable by a user whom you trust with access to the Firefox certificate database. Note its path; make sure you use forward-slashes instead of backslashes, and leave off the trailing slash.
  10. Find your NSS directory; it will usually be a subdirectory of $HOME/.mozilla/firefox. For example, $HOME/.mozilla/firefox/r3a8ono6.default. Make sure you use forward-slashes instead of backslashes, and leave off the trailing slash.

  11. Run the following, substituting the temporary directory and NSS directory for $TEMP_DIR and $NSS_DIR:

    ./tlsrestrict_nss_tool --tlsrestrict.nss-temp-db-dir="$TEMP_DIR" --tlsrestrict.nss-dest-db-dir="$NSS_DIR"
  12. Wait a few minutes for tlsrestrict_nss_tool to finish running.

You’ll need to rerun the above tlsrestrict_nss_tool command whenever the built-in certificate list is updated. You won’t need to redo the about:config steps, though.

If you’ve manually imported any non-built-in TLS trust anchors to Firefox, and you want to restrict them from intercepting .bit traffic, you should do the following for each such trust anchor:

  1. Get a DER-encoded certificate of the trust anchor.

  2. Run the following, substituing the path to your trust anchor certificate for $CERT_PATH:

    ./cross_sign_name_constraint_tool --cert.input-root-ca-path="$CERT_PATH"
  3. 3 new certificates will be created: root.crt, intermediate.crt, and cross-signed.crt.
  4. Delete the existing trust anchor from Firefox.
  5. Import root.crt into Firefox; mark it as a trusted TLS root CA.
  6. Import intermediate.crt and cross-signed.crt into Firefox; do not mark them as trusted.

If you decide later that you want to remove the negative overrides from Firefox, follow these instructions:

  1. Run the following:

    ./tlsrestrict_nss_tool --tlsrestrict.nss-temp-db-dir="$TEMP_DIR" --tlsrestrict.nss-dest-db-dir="$NSS_DIR" --tlsrestrict.undo
  2. Wait a few minutes for tlsrestrict_nss_tool to finish running.
  3. If you want to restore compatibility with TLS intercepting proxies, follow these steps. If you don’t want to use a TLS intercepting proxy, or if you don’t know what a TLS intercepting proxy is, you probably don’t need to do this.
    1. Go to about:config in Firefox.
    2. Search for security.cert_pinning.enforcement_level.
    3. Right-click the security.cert_pinning.enforcement_level preference.
    4. Click Reset.
    5. Search for security.cert_pinning.process_headers_from_non_builtin_roots.
    6. Right-click the security.cert_pinning.process_headers_from_non_builtin_roots preference.
    7. Click Reset.
    8. Close the about:config tab in Firefox.
    9. Restart Firefox.

Screenshot

If a .bit HTTPS website uses a CA-signed certificate that doesn’t match the Namecoin blockchain, an error like this will be displayed:

start.fedoraproject.org uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported.

Strict Transport Security

Firefox for GNU/Linux can be used with Namecoin for Strict Transport Security; this improves security against sslstrip-style attacks by forcing HTTPS to be used for .bit domains that support HTTPS. Instructions:

  1. Install ncdns.
  2. Download and extract the DNSSEC-HSTS Native Component from the Beta Downloads page.

  3. Install the DNSSEC-HSTS Native Component like this:

    sudo cp ./org.namecoin.dnssec_hsts.json /usr/lib64/mozilla/native-messaging-hosts/
sudo cp ./dnssec_hsts /usr/bin/
  4. Download the DNSSEC-HSTS WebExtensions Component from the Beta Downloads page.

  5. Install the DNSSEC-HSTS WebExtensions Component like this:

    unzip -d ./dnssec-hsts ./dnssec-hsts-*.xpi
sudo rm -rf /usr/share/webext/dnssec-hsts/
sudo cp -a ./dnssec-hsts /usr/share/webext/dnssec-hsts
sudo ln -s -T /usr/share/webext/dnssec-hsts "/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/dnssec-hsts"

You may need to restart Firefox. You may need to enable DNSSEC-HSTS in the Firefox Addons dialog.

.bit domains that support HTTPS will now automatically redirect from HTTP to HTTPS in Firefox.