TLS Positive and Negative Overrides

Tor Browser for macOS can be used with Namecoin for TLS positive and negative overrides; this allows certificates for .bit domains that match the blockchain to be used without errors, and prevents malicious or compromised public CA’s from issuing certificates for .bit domains. Instructions:

  1. Install ncdns.
  2. On a GNU/Linux system, build certdehydrate-dane-rest-api and ncp11 from source, like this:

    git clone https://github.com/namecoin/ncdns-repro.git
    cd ncdns-repro
    make submodule-update
    ./rbm/rbm build certdehydrate-dane-rest-api --target release --target ncdns-osx-x86_64
    ./rbm/rbm build ncp11 --target release --target ncdns-osx-x86_64
    
  3. The certdehydrate-dane-rest-api binary will be a .tar.gz file in ./out/certdehydrate-dane-rest-api/.
  4. The ncp11 binary will be a .tar.gz file in ./out/ncp11/.
  5. Extract certdehydrate-dane-rest-api from the certdehydrate-dane-rest-api .tar.gz file and copy it to your macOS system where Tor Browser will be used.
  6. Extract libncp11.dylib from the ncp11 .tar.gz file and copy it to your macOS system where Tor Browser will be used.
  7. Create a text file called certdehydrate-dane-rest-api.conf in the same directory where certdehydrate-dane-rest-api is, and fill it with the following contents (if ncdns is listening on a different IP or port, change the following accordingly):

    [certdehydrate-dane-rest-api]
    nameserver="127.0.0.1"
    port="5391"
    
  8. Run certdehydrate-dane-rest-api.
  9. If you want to test certdehydrate-dane-rest-api, try visiting http://127.0.0.1:8080/lookup?domain=ca-test.bit in a web browser. You should see a certificate. If you instead get an error or an empty page, something is wrong.
  10. Make sure Tor Browser is installed.
  11. Make sure Tor Browser is already configured to use Namecoin for Tor name resolution.
  12. Make sure Tor Browser is shut down.
  13. In Tor Browser’s Browser folder, rename libnssckbi.dylib to libnssckbi-namecoin-target.dylib.
  14. Copy libncp11.dylib to Tor Browser’s Browser folder.
  15. In Tor Browser’s Browser folder, rename libncp11.dylib to libnssckbi.dylib.

You can now visit in Tor Browser a .bit website that supports TLS, e.g. the ncp11 test page. The website should load in Tor Browser without errors. Note that only CA trust anchors are accepted; end-entity trust anchors are not accepted. This means that some older .bit domains will have their certificates rejected in Tor Browser. We are working on contacting the affected .bit domain owners to ask them to upgrade their setup.