TLS for Tor Browser on GNU/Linux

TLS Positive and Negative Overrides

Tor Browser for GNU/Linux can be used with Namecoin for TLS positive and negative overrides; this allows certificates for .bit domains that match the blockchain to be used without errors, and prevents malicious or compromised public CA’s from issuing certificates for .bit domains. Instructions:

1. Install ncdns.
2. Download and extract certdehydrate-dane-rest-api and ncp11 from the Beta Downloads page.

3. Create a text file called certdehydrate_dane_rest_api.conf in the same directory where certdehydrate-dane-rest-api is, and fill it with the following contents (if ncdns is listening on a different IP or port, change the following accordingly):

   [certdehydrate-dane-rest-api]
   nameserver="127.0.0.1"
   port="5391"
   

4. Run certdehydrate-dane-rest-api.
5. If you want to test certdehydrate-dane-rest-api, try visiting http://127.0.0.1:8080/lookup?domain=ca-test.bit in a web browser. You should see a certificate. If you instead get an error or an empty page, something is wrong.
6. Make sure Tor Browser is installed.
7. Make sure Tor Browser is already configured to use Namecoin for Tor name resolution.
8. Make sure Tor Browser is shut down.
9. In Tor Browser’s Browser folder, rename libnssckbi.so to libnssckbi-namecoin-target.so.
10. Copy libncp11.so to Tor Browser’s Browser folder.
11. In Tor Browser’s Browser folder, rename libncp11.so to libnssckbi.so.

You can now visit in Tor Browser a .bit website that supports TLS, e.g. the ncp11 test page. The website should load in Tor Browser without errors. Note that only CA trust anchors are accepted; end-entity trust anchors are not accepted. This means that some older .bit domains will have their certificates rejected in Tor Browser. We are working on contacting the affected .bit domain owners to ask them to upgrade their setup.

Strict Transport Security

Tor Browser for GNU/Linux can be used with Namecoin for Strict Transport Security; this improves security against sslstrip-style attacks by forcing HTTPS to be used for .bit domains that support HTTPS. Instructions:

1. Install ncdns.
2. Download and extract the DNSSEC-HSTS Native Component from the Beta Downloads page.

3. Install the DNSSEC-HSTS Native Component like this (substitute your Tor Browser directory):

   sudo mkdir -p tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/
   sudo cp ./org.namecoin.dnssec_hsts.json tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/
   sudo cp ./dnssec_hsts /usr/bin/
   

4. Go to about:config in Tor Browser.
5. Search for xpinstall.signatures.required.
6. If the Value column says true, double-click it to turn it to false.
7. Close the about:config tab in Tor Browser.
8. Restart Tor Browser.
9. Download the DNSSEC-HSTS WebExtensions Component from the Beta Downloads page.
10. Open the DNSSEC-HSTS .xpi file in Tor Browser, and accept the extension installation dialog.

.bit domains that support HTTPS will now automatically redirect from HTTP to HTTPS in Tor Browser.