TLS Positive and Negative Overrides

Tor Browser for Windows can be used with Namecoin for TLS positive and negative overrides; this allows certificates for .bit domains that match the blockchain to be used without errors, and prevents malicious or compromised public CA’s from issuing certificates for .bit domains. Instructions:

  1. Install ncdns.
  2. Download and extract certdehydrate-dane-rest-api and ncp11 from the Beta Downloads page.
  3. Create a text file called certdehydrate_dane_rest_api.conf in the same directory where certdehydrate-dane-rest-api.exe is, and fill it with the following contents (if ncdns is listening on a different IP or port, change the following accordingly):

    [certdehydrate-dane-rest-api]
    nameserver="127.0.0.1"
    port="5391"
    
  4. Run certdehydrate-dane-rest-api.exe.
  5. If you want to test certdehydrate-dane-rest-api, try visiting http://127.0.0.1:8080/lookup?domain=ca-test.bit in a web browser. You should see a certificate. If you instead get an error or an empty page, something is wrong.
  6. Make sure Tor Browser is installed.
  7. Make sure Tor Browser is already configured to use Namecoin for Tor name resolution.
  8. Make sure Tor Browser is shut down.
  9. In Tor Browser’s Browser folder, rename nssckbi.dll to nssckbi-namecoin-target.dll.
  10. Copy ncp11.dll to Tor Browser’s Browser folder.
  11. In Tor Browser’s Browser folder, rename ncp11.dll to nssckbi.dll.

You can now visit in Tor Browser a .bit website that supports TLS, e.g. the ncp11 test page. The website should load in Tor Browser without errors. Note that only CA trust anchors are accepted; end-entity trust anchors are not accepted. This means that some older .bit domains will have their certificates rejected in Tor Browser. We are working on contacting the affected .bit domain owners to ask them to upgrade their setup.