TLS for Chromium on GNU/Linux

TLS Positive Overrides

Chromium for GNU/Linux can be used with Namecoin for TLS positive overrides; this allows certificates for .bit domains that match the blockchain to be used without errors. Instructions:

1. Create a certificate storage directory for ncdns. Make sure that it is only readable and writeable by the user running ncdns.
2. Run echo "$HOME/.pki/nssdb" and note the output; this is your NSS database directory.

3. Add the following to your ncdns.conf. Substitute the certificate storage directory you created above for $CERTDIR, and substitute the NSS database directory that you found above for $NSSDBDIR.

   [certstore]
   
   nss=true
   nsscertdir="$CERTDIR"
   nssdbdir="$NSSDBDIR"
   

4. Restart ncdns.

You can now visit in Chromium a .bit website that supports TLS, e.g. the Namecoin forum’s .bit domain. The website should load in Chromium without errors, like in this screenshot:

TLS Negative Overrides (Method A)

Chromium for GNU/Linux can be used with Namecoin for TLS negative overrides; this prevents malicious or compromised public CA’s from issuing certificates for .bit domains. Instructions:

1. Exit Chromium.

2. Run the following, and note the output:

   ls $HOME/.config/chromium/*/TransportSecurity
   

3. For each TransportSecurity file that you found above, run the following, substituting the full path of the TransportSecurity file for $TS_PATH:

   ./tlsrestrict_chromium_tool --tlsrestrict.chromium-ts-path=$TS_PATH
   

4. You can now re-launch Chromium.

TLS Negative Overrides (Method B)

Chromium for GNU/Linux can be used with Namecoin for TLS negative overrides; this prevents malicious or compromised public CA’s from issuing certificates for .bit domains. Instructions:

1. Create a temporary directory; make sure that it only is readable/writeable by a user whom you trust with access to the Chromium certificate database. Note its path; make sure you use forward-slashes instead of backslashes, and leave off the trailing slash.

2. Run the following, substituting the temporary directory for $TEMP_DIR:

   ./tlsrestrict_nss_tool --tlsrestrict.nss-temp-db-dir="$TEMP_DIR" --tlsrestrict.nss-dest-db-dir="$HOME/.pki/nssdb"
   

3. Wait a few minutes for tlsrestrict_nss_tool to finish running.

You’ll need to rerun the above tlsrestrict_nss_tool command whenever the built-in certificate list is updated.

If you’ve manually imported any non-built-in TLS trust anchors to Chromium, and you want to restrict them from intercepting .bit traffic, you should do the following for each such trust anchor:

1. Get a DER-encoded certificate of the trust anchor.

2. Run the following, substituing the path to your trust anchor certificate for $CERT_PATH:

   ./cross_sign_name_constraint_tool --cert.input-root-ca-path="$CERT_PATH"
   

3. 3 new certificates will be created: root.crt, intermediate.crt, and cross-signed.crt.
4. Delete the existing trust anchor from Chromium.
5. Import root.crt into Chromium; mark it as a trusted TLS root CA.
6. Import intermediate.crt and cross-signed.crt into Chromium; do not mark them as trusted.

If you decide later that you want to remove the negative overrides from Chromium, follow these instructions:

1. Run the following:

   ./tlsrestrict_nss_tool --tlsrestrict.nss-temp-db-dir="$TEMP_DIR" --tlsrestrict.nss-dest-db-dir="$HOME/.pki/nssdb" --tlsrestrict.undo
   

2. Wait a few minutes for tlsrestrict_nss_tool to finish running.

Screenshot

If a .bit HTTPS website uses a CA-signed certificate that doesn’t match the Namecoin blockchain, an error like this will be displayed: