TLS for Tor Browser on Windows (64-bit)
TLS Positive and Negative Overrides
Tor Browser for Windows can be used with Namecoin for TLS positive and negative overrides; this allows certificates for .bit
domains that match the blockchain to be used without errors, and prevents malicious or compromised public CA’s from issuing certificates for .bit
domains. Instructions:
- Install ncdns.
-
On a GNU/Linux system, build certdehydrate-dane-rest-api and ncp11 from source, like this:
git clone https://github.com/namecoin/ncdns-repro.git cd ncdns-repro make submodule-update ./rbm/rbm build certdehydrate-dane-rest-api --target release --target ncdns-windows-x86_64 ./rbm/rbm build ncp11 --target release --target ncdns-windows-x86_64
- The certdehydrate-dane-rest-api binary will be a
.tar.gz
file in./out/certdehydrate-dane-rest-api/
. - The ncp11 binary will be a
.tar.gz
file in./out/ncp11/
. - Extract
certdehydrate-dane-rest-api.exe
from the certdehydrate-dane-rest-api.tar.gz
file and copy it to your Windows system where Tor Browser will be used. - Extract
ncp11.dll
from the ncp11.tar.gz
file and copy it to your Windows system where Tor Browser will be used. -
Create a text file called
certdehydrate-dane-rest-api.conf
in the same directory wherecertdehydrate-dane-rest-api.exe
is, and fill it with the following contents (if ncdns is listening on a different IP or port, change the following accordingly):[certdehydrate-dane-rest-api] nameserver="127.0.0.1" port="5391"
- Run
certdehydrate-dane-rest-api.exe
. - If you want to test certdehydrate-dane-rest-api, try visiting
http://127.0.0.1:8080/lookup?domain=ca-test.bit
in a web browser. You should see a certificate. If you instead get an error or an empty page, something is wrong. - Make sure Tor Browser is installed.
- Make sure Tor Browser is already configured to use Namecoin for Tor name resolution.
- Make sure Tor Browser is shut down.
- In Tor Browser’s
Browser
folder, renamenssckbi.dll
tonssckbi-namecoin-target.dll
. - Copy
ncp11.dll
to Tor Browser’sBrowser
folder. - In Tor Browser’s
Browser
folder, renamencp11.dll
tonssckbi.dll
.
You can now visit in Tor Browser a .bit
website that supports TLS, e.g. the ncp11 test page. The website should load in Tor Browser without errors. Note that only CA trust anchors are accepted; end-entity trust anchors are not accepted. This means that some older .bit
domains will have their certificates rejected in Tor Browser. We are working on contacting the affected .bit
domain owners to ask them to upgrade their setup.