Photos - Marcus Bengtsson - Unsplash
How does blockchain help in DNS
The task of certification centers (CA) is to confirm that the connection to the server is secure and that the SSL certificate issued to this or that site is legitimate. Each certification center has the right to delegate responsibility for certificate verification to other organizations, but browser users cannot verify how reliable a particular CA is and whether it follows the CA / Browser Forum consortium security regulations.
If the certificate is compromised, this opens up opportunities for MITM attacks. This has already happened - in 2011, Iranian hackers replaced more than 500 SSL certificates issued by the DigiNotar certification authority. Among them were certificates of Mozilla, Google and other companies. Within a month, attackers listened to the traffic of 300 thousand users.
Some IT experts also worry that one corporation, ICANN, manages the cryptographic keys of the DNS root zone. She acts as a monopolist and dictates her conditions - what top-level domain names (TLDs) will be registered and how much it will cost. So, applying for a new TLD will cost 185 thousand dollars.
In an attempt to solve the problem of trust in certification authorities and decentralize the root zone, Namebase engineers began working on an alternative approach to organizing the DNS system. They proposed replacing the root servers with the Handshake blockchain network.
How it works
Blockchain acts as a repository for a file with domain information. To protect them in a distributed network, the proof-of-work algorithm is used, as in bitcoin. To register a domain, users send a corresponding request to the blockchain - this is how it will look for example.com:
$ hsw-rpc createclaim example { "name": "example", "target": "example.com.", "value": 1133761643, "size": 3583, "fee": 17900, "address": "ts1qd6u7vhu084494kf9cejkp4qel69vsk82takamu", "txt": "hns-testnet:aakbvmygsp7rrhmsauhwlnwx6srd5m2v4m3p3eidadl5yn2f" }
Among other things, the request indicates the site name, domain name and the amount that the user is willing to pay to the miners for registering an entry in the blockchain. Payment is made using utilitarian HNS tokens. Upon completion of mining - it takes from 5 to 20 minutes - the system gives the owner rights to the domain. Also, the webmaster receives a key with which he can put cryptographic signatures on his own. This approach will allow you to abandon the classic certification centers.
HNS tokens are also used in the sale of a domain. The transaction takes place in the format of an open auction - the name is transferred to the user who has made the highest bid. To avoid cybersquatting , Handshake developers have already secured the domain names of the first 100 thousand sites included in the Alexa rating on the blockchain network. Their real owners can migrate to the blockchain network at any time and even get a reward for it.
Opinions
According to the authors of Handshake, the capabilities of their platform were positively evaluated by one of the developers of the TCP / IP protocol stack Winton Cerf. A year ago, he himself proposed to implement a solution that will increase confidence in certification authorities. And in general, the idea of a distributed root DNS system in the IT community was supported. If only because it opens up some interesting possibilities.
Handshake allows you to associate IP addresses with new TLDs and use a top-level domain as a full name. For example, go to "namebase.io" by typing "namebase" in the address bar . Although some Hacker News residents say the feature is unlikely to be popular. A site address without a dot looks unusual and confuses users.
Photos - Kaley Dykstra - Unsplash
It was also noted at HN that in the past, projects like Handshake have already been launched - there were Namecoin and ENS. And they are not widespread. Four years ago, out of 120 thousand registered domain names in the Namecoin database, only 28 were active. It is believed that Handshake expects the same fate.
Although specialists from Namebase say that their platform, unlike analogues, does not compete with and is compatible with the traditional domain name system. If the user tries to enter the address of one of the 100 thousand most popular sites whose owners have not registered on the blockchain network, the software will redirect the request to the classic DNS servers.
The developers intend to maintain the transparency and full compatibility of their decentralized system with ICANN protocols. And the future of Handshake depends on whether large companies want to switch to an alternative DNS solution.
Additional reading:
How to find out what an SSL certificate consists of
What are SSL certificates and why are they needed
Coverage area and SSL certificate chains
Obtaining an OV and EV certificate - what you need to know
How to protect a virtual server on the Internet
A small FAQ on working with SSL in the cloud 1cloud.ru. We tell you how to add, renew and test certificates on different systems.