DANE Security in Handshake
No Business Without Security
All right. So this is video two, I'd say on the sky blue channel with Matt, we have Matt Zipkin, he's really awesome guy behind the scenes. A lot of the groups and making sure the protocol is moving along well and handshake. And Andy has given a lot of presentations and sharings in, in various forms. So thanks for coming back on.
And, and the bearing with me is, and some of the not so technical people probably tuning into. Yeah, thanks for having me, Mike. I think this is going to be a great conversation. I do love talking to you. Yeah. It's early in the morning here where I am and it's late in the night where you are. Putting this together, we're making it work.
And I got the ledger too. Nice. Yeah. If the clear one, which is a new thing that ledger does, so you can look at it and see if somebody has inserted malicious hardware, but I'm glad you got that. And we're able to that's important. Made it into China, through the firewalls, physical and online. So today's topic is Dane, D a N E, which is about security.
And there's a few different, you know, we don't have a format, really strong structure today's outline, but basically I think more of a 1 0 1 for a marketer, like a. Some people are saying, like, why can't we just get this resolve on browsers? You know, just get the names to resolve, you know, even right now, there is nature to that too.
I think he can't use SSL with that. Or others, you know, there's other solutions, but there's, it's, it's, it's challenging in handshake to have the SSL and maybe even saying the wrong words, terminology can't because there's ACPS as, as Al I know there's Dean and I, I don't know if they're related or not, but I think I, in my brain are categorized under the same concept of security on the web.
Yeah. Yeah. And, and I'm gonna, I'm going to put a disclaimer in here too, that I am also a student of all these technologies. I've only been learning about them for the last couple of years is as I work on handshake and there's other people in the community that know more about the technical details than I do.
So I think you and I should have a conversation with some sort of general concepts. And if people want to, people should, should take this conversation with a grain of salt. Maybe I say TLS when, I mean, SSS. You know, those kinds of things, look it up and make sure you get the details. Right. But you and I can talk about the concepts today.
I think that'll work out well. Yeah, no slides today and no, no screens. So it's trying to keep it simple. But I think before we dive into it, like, I know you're, you're all, you've been really. Pretty much transparently that you're, you're, you're willing to be a little bit difficult on them. You want to have, we want to have security, not just adoption with, without security.
We want to ensure that it's secure browsing. We don't want to allow us to have hackers or spammers to, to infiltrate this handshake network. Right. We want to maintain security. I believe Dane is wondering ways of doing that. Right. Yeah. So, so Dane stands for, I think domain authentication of named entities.
It's like, okay, what does that mean? And so it's mentioned in the white paper, and one thing I'll say about handshake on the founders is I'm not sure if I heard this from one of the founders explicitly or just like through conversation, but I think the original goal of inventing handshake was to replace certificate authorities.
And the DNS stuff was like, there's there means to that end. So we all think of handshake as a decentralized route zones. Probably the first thing you tell people about handshake is that it's a, it's a naming system is for DNS. And I think that that ironically, actually that's a, it's a means to an end.
What handshake really is, is an attempt to replace certificate authorities. And to do that, we need our own naming system because that's how certificate. Yeah. So I'll try to S you know, so it's two parts. Yeah. Like we all talk about the root zone and I can't, everybody thinks like, down with ICANN, whatever, like, we don't need the central authority controlling the namespace, but there's a second level, which a lot of people don't know about is the CA certificate authorities, which.
You know, if even CloudFlare, you click a cloud for him, pays a certificate authority, right? If you go on these sites and you click on that lock on the site and you know, it's used most sites now are have that lock next to it. You click the certificate button and then it pops up and it says, if it's valid and you click into details and it shows you like let's encrypt is a really popular and free one, and it shows you something.
So how it's secured, right? And from my research and learning from you and others, there's ways that there's even cases where that gets hacked, because they're like pre-installed on operating systems or maybe at the browser level or at the operating system level. And, and they're literally just historic on your, on your computer.
And then Tara communicating with the webpage to, to validate from my understanding. Right. So the important thing to know about. Yeah. So basically like when it comes to internet and like browsing and security, there's basically two completely different systems, two completely different systems you can think about.
Well, I dunno something with two systems in it, your body's that our circulatory system and respiratory system. Yeah. There's some connections there, but are different organs doing different things. And DNS, when we think about names, Connecting to IP addresses. That's, you know, I can and name servers and you can go to GoDaddy and get a name.
And that's how, when you type a name into your browser, the browser knows which IP address to get the website data from. That's one whole system. There's a second system, which is for security, and we'll go into the details, but basically it's rooted. It's not, I can, it's not GoDaddy. It's not DNS. It's a separate system called certificate.
And yeah, like you said, so, so I, I have a Mac MacBook pro in front of me. There's an application. You can look on your own computer. I think it might be in utilities, a program called kitchen access. And you can just, you open it up and you'll see there's, you know, I don't know hundreds of certificates, companies like Verisign and like that, and, and, and Veritas, and they're all in there.
And these are public keys. So as cryptocurrency unit. W we shall have this concept of like public keys, right? Like you tell me your public key, you keep your private key secret and we can do some secure stuff that way, you know? So that's what these certificates are. A certificate is a public key. Very, very simple.
It's a, you can think of it like a Bitcoin address or a handshake address. It's a, an identifier that you can sign something with that nobody else can sign something with. And if you sign something with your private key, I can take that signature and then message and public key. Verify that that message was signed by you.
That's how Bitcoin transactions work and how handshake transactions work. And you know, all, all, all internet security in a nutshell is the signatures, right? So now we're talking about websites. The idea is when I go to bank of america.com and I type in my password, I don't want every computer on the internet knowing that, oh, you know what, let's take a step back because this is a metaphor I've always wanted to explain the internet.
Okay. Internet is a baseball. I'm over in, in, in, in section two row G seat F and I want to send a message to you. You're downstairs in section a row, L C five. Okay. And I want to send a message to you. How do I do that? This is how the internet works. I write the message on a postcard that anybody can read.
I hand it to the person next to me and I say, can you. That direction and they look at it and they're like, sure, they ended the person next to them. We handed over to section F someone runs downstairs, hands it's a section G you said has the section H they get it all the way to you. And every single person who touches that message along the way can read the data.
Cause I'm just handing it to them. And, yeah, and there's, there's a program called a trace route. That's I most, most operating systems. And if you type trace route google.com, it will give you a list of all the computers between you and google.com. It's just like that baseball stadium is just passing a note, like passing a note in class.
Anybody can read it. Interesting. So like this conversation we're having, like, it's not like there's, it's not a tin can telephone. It's not like there's a wire from my house directly to your house, obviously. Right. My data is going to my internet service provider. That's connecting to some other internet service provider.
That's connecting to some undersea cable. That's taking the data to China, and then there's a computer there and another computer. And finally it gets to your house and you can hear me talk every single one of those computers along the way has access to that data. And some might say that when the internet was built in the nineties, they made this mistake of not adding security right away.
There was an afterthought. And now we have this legacy insecure system with security bill. Okay, so we good so far. Yeah, I'm getting it. Okay. Okay. So what we want to do, if I'm going to send a postcard to you in three sections over in the baseball stadium, obviously I want to write it in a way that nobody else can read it or more importantly, that nobody else can change the message, because it's important.
If I'm, if I'm sending my bank account password to, to bank of America, I want, I, I don't want anyone else to know that except for them, you know, so. There's a really interesting cryptographic techniques where we can send insecure messages to each other and use those to actually build a secure channel.
And then if you've ever passed notes in. You know, my little sister had some friends and they had a, uh, code and they had the letters a through Z written on a piece of paper next to each letter was a funny little symbol and they could write messages and code to each other. And of course I broke into her room and stole that piece of paper.
So I could decode the messages and find out who they had crushes on the hacker from there. So that's, that's basically what we need to do. I want to send you an encrypted message. So even though there's like a hundred people between me and you that have access to the data, they can't do anything with it.
If, if they try to change the data, when it gets to you, you will know immediately that it's been changed and your browser will say, Hey, we gotta, we gotta break this connection right now. We're not firstname.lastname@example.org do not send your password, do not type in your credit card. Um, so we're good. So far, we want to add encryption to this fundamentally insecure system.
Okay, so that key, the, the piece of paper with the alphabet and the funny symbols, somehow you and I need to agree on that and we can skip over the details for that. But, but, um, because it, the bridge from, from that piece of paper, with a symbols to how SSL actually works with, with a shared secret and, and a key exchange, it's, it gets a little too complicated, but somehow we need, I need a key.
So that I can encrypt a message in such a way that only you can decrypt it. And the metaphor breaks a little bit, because it doesn't really make sense with a piece of paper with the code, but I'm just gonna tell you, there's a cryptographic technique where you send me something, I send you something back and then we have a shared key that nobody else has.
Okay. We're good. So far I'm getting it. Yeah. Okay. All right. All right. Sweet. The certificate is, is, is. Exchange starts when you go to, when it's hyped bank of america.com or google.com resume. The first thing that happens is your computer sends a message to that server and says, Hey, give me your public key, give me your certificate.
And that certificate gets sent back. Well, how do I know? That, that certificate I just received is actually from google.com because don't forget, there's all these people in the stadium. If I send a message to Mike and I say, Hey, give me your certificate. And somebody comes back and says, hi, this is Mike.
Here's my certificate. I'm looking at this. And I'm like, well, huh? Like, is it though? Or did somebody along the way. Swap out your certificate for verse and, and then I'm actually encrypting messages to this man in the middle and they can read the message and reencrypt it to you. So you think you're actually talking to me, I think I'm talking to you, but there's this man in the middle and if you Google that term, you'll find tons of it.
Yeah. I researched this a little bit more too. Yeah, yeah, yeah. Okay. So that's, that's what man in the middle attack means or women in the middle. It just means that there's a there's, there's some entities. It, that has access to our channel. That accepts messages from one person does something with it.
Impersonates basically, impersonates both people and can eavesdrop on the entire channel, even though you and I both think the data is encrypted. Got it. So rewind a little bit. I get this postcard from you in the stadium. It says, hi, my name's Mike. Here's my public key. How do I know that's actually your public key?
The reason I know it's your public key is because at the bottom, there's a signature by cloud. And nobody else can forge that signature. Nobody in the stadium can sign the way that CloudFlare signs. And I guess, you know, to extend this metaphor, you might say the reason I can trust CloudFare signature is because I walked into that stadium with Cloudflare's.
With, you know, with some way to identify CloudFlare signature. Obviously these metaphors are starting to break down a little bit, but, but that's, that's the deal. I, I go to the apple store, I buy a computer. I walk out of that store with Cloudflare's key. In my hand, you know, CloudFlare gave their key to apple at some point.
I don't know how they verified that the key came from CloudFlare. They have their own infrastructure for that, you know, they installed the key on the, on the apple operating system. Apple signs that with their key and like the hardware is set up in such a way that like only apple software runs on, you know, that kind of stuff gets deep.
But as far as the baseball stadium metaphor, I walked in there with COVID bears key. I walked in there trusting CloudFlare. I didn't walk in there trusting like Nicoline. I don't know. You could generate a new one every day I walked into with Cloudflare's key. I get this postcard from Mike from supposedly from like Nicoline.
It's signed by CloudFlare. That's how I can trust it. Now I know, or I believe with extremely strong conviction that I'm holding Mike key. I can encrypt a message with that and send it back to the baseball stadium and no matter who touches it, I know that when you get it, it will either be the exact same message that I sent you.
Or you will be able to immediately detect that. Something is wrong and vice versa. Got it. Got it. Cool. Yeah. Yeah. So,
I mean, what about the, I mean, I think the other element that maybe is worth bringing up or is it not as the fees they just collect? I mean, there's free to let's encrypt has been amazing free, right. But before let's encrypt, you had to pay, like, I think some people still pay. But, you know, I mean, there's, luckily we have this, I don't know how many years let's encrypt has been around, but before that you had to pay, you know, and I, and there's still the other ones still charge, but you gotta pay these people for it too, right?
Yeah. And it's, you know, they're convenience charges. Like if you, if you have a name on go down, You can click a button that says, I want to add an SSL certificate to my name, Mike mcclooney.com. And we'll be like, sure. It's 200 bucks a year. I'm like, yes, you could do that for free using let's encrypt. But I don't know.
Have you ever actually used less encrypts? Have you ever installed a let's encrypt certificate? Yeah. I mean, luckily I have some of these C panels I use have it integrated in and I can click it, like, like what you said. Okay. Okay, awesome. Okay. Some services have free ones. Okay. That's good to know. So that there are convenient options that are better still free.
So, and you know, that's how it should be, but let's encrypt. I could be wrong about this, but let's encrypt certificate is also not installed on operating systems. I something about their key change this year. I'm not sure if it's this, but, but there's a chain, right? So, and even Cloudflare's key might not actually be installed on the operating system, but somebody else signs their key.
So there's this chain of signatures, you know, there's like a key that's installed on the operating system. The roots of trust, something that you were just born trusting you. You just do, and then they sign a key. That key is used to sign another key that gives you the sign, another key and so forth. So let's encrypts key, I think is signed still by somebody else.
I'm going to look at the certificate for zoom. Yeah. So, so we're, we're using zoom.us right now. They're the certificate we are using to communicate right now is signed by digital cert and secure server CA that key is signed by Digitas or global root CA on my computer has a little gold icon. That means it's it's installed in my system.
We are using a key that signed a key that signed a key for this channel. And let's encrypt I think is in there. So that means, you know, like maybe let's encrypt, isn't a great example, but somebody has authority over let's encrypt. If let's say let's encrypt a signed by digital cert or something, and let's encrypt start signing handshake, domain names, or they sign, Ooh, God forbid like a, an Iranian peace movements, domain and S and, and somebody is like, you know what, let's encrypt screw you.
You're done. And they just revoked their key. Right. All of let's encrypt certificates are suddenly invalid because of this chain of authority. Like that doubt that will ever happen. But it's, it's, it's a potential thing, you know, and similar to the ICANN system, like if a TLD violates icons terms, they're just gone.
That's how authority works. Got it. Okay. Yeah. So, so, so then it's more than just money, right? I mean, so the first is actually just the actual security because there was, there was some articles I've read that's in Europe. I think somehow there was a hacker. I don't want to say middle east, but some other foreign country that somehow theater men in the middle attack on some, I think financial.
I don't know if you remember this article, but they were able to, to hack the, so people thought they were logging in, but it was a fake certificate, but it looked like green and it had the safe check and, you know, they logged in. Um, sure. You can, you can find stories like this. Like my, my ether wallet is, is a web wallet that got hacked a while ago.
And a lot of times what gets hacked is the DMS. And then they were able to, um, post a site that. Exactly like my ether wallet, but it just stole your private keys. So the other thing is like, so the way let's encrypt works is like, let's say I get Matthew's zipping.com and I want to let's encrypt certificate.
So I use. I set up the DNS first, so that Matthews have can.com point is do an IP address. Then I have a computer at that IP address and how the let's encrypt protocol works is basically I send a message from that computer to less encrypt that says, hi, I'm Matthew Zipkin. My IP address is 10 dot 20, about 30 by 40.
I would like a certificate. That message goes to the less encrypt server. And they're like, okay, if you really are, Matthew's zipping at that IP address, we'll set, we'll send you a certificate. So they look up Matthews, deputy.com in the DNS system, find my IP address and send a message back, you know, to that IP address saying basically here's a certificate.
So if I say hi, I'm Mike Michelina, and this is my IP address. Let's encrypt what we like. First of all, no, you're not like the IP address. Doesn't match what's in the DNS system. We're not going to sign this. Or they could be like, um, you were going to look up Mike mcneeney.com and send their certificate to that IP address.
And I don't have a computer at that IP address, but there are hacks you, you, you can't really like steal someone's IP address, but you know, if you can break the DNS, you can trick less encrypt to sending you a certificate, for example. So yeah, these, these kinds of hacks are possible and, and by the way, It's still the responsibility of the service operator to set up the security correctly.
There's over the last year, I've seen a lot of people like, oh, my God looked at the site, got hacked or DMS got hacked, or this side had, you know, there's significant got hacked. And almost all those stories like could happen, still happen on here. There's very few of these stories are about censorship or authority takeover.
You know, like the handshake website can still be hacked. Users need to be cautious. And, you know, and, and, and the important thing is, is DNS sec too, is the other thing, which is like the, the chain of cryptographic trust in the DNS system. So a lot of these hacks operate because they insert false records into the domain name system, and they're able to.
Triple certificate authority or that kind of thing. Got it. If somebody is angry outside, sorry. It's like New York, right? Syntax is quick, quiet morning here. So for the air conditioner, talking about bro, you know, like maybe we're a little bit more, somewhat practical or business, you know, everybody, especially in the handshake community is, is fascinated with brave and brave browser or browser adoption.
And. You know, a few months ago now there was that blow up on Twitter that I kind of was in the middle of, but there was there's different parts of browser integration. Right. So maybe. So you're seeing as good point where we moved to the integration or the adoption now. I mean, yeah, let's maybe talk about is where by all these people, like they want to pump their bags.
I think like Brandy says about us, but of course we, everybody wants adoption. Everyone wants these browsers to be able to type in our name and it opens. Right. So it's not just the resolver. Right. So there's resolver and there's Dean and or security. Right. So maybe we could kind of talk about. This is best your, yeah.
Yeah. We're sorry. Maybe we should talk about what Dane is. Before we really talk about, we kind of talked a little bit about the current system and racket, right? Yay. I got that from JJ during a handy con when he says his CA he says, said, yeah. So that comment from JJ is like, back to what I was saying.
Like handshake is yeah. Targeting certificate authorities and the DNS stuff is just like how we're going to do it. Yeah. Okay. So like I, like I said, in the beginning, there's the domain name stuff over here and there's the certificate authority stuff over here. And the baseball stadium, their certificate authority is the list of keys.
I walked into the stadium with the keys that I just trust. And the domain name system is the phone book where I look up Mike and Michelina and I say, oh, he's downstairs in section G H or whatever, two separate systems. I got one list of keys and I got one list of, of domains. Okay. So it gets a little, it gets kind of interesting from here.
The idea of Dane is to combine these things and make certificate authorities unnecessary by using the security in the domain names. So, what that means is as, as people who watch your channel, I'm sure are familiar, at least with some types of DNS records. Like you guys understand that there's a name and an IP address, a record, see names, stuff like this.
Exactly. Yes. These are types of DNS record, a name and a record is an IP address. A C name is like a different name to look up, and then you get the IP address from, from that. Those are two types of, of DMS records and probably the most important, because that's the whole point of the domain name system is to figure out an IP address, but there are lots of other records and tax records.
Of course, everyone knows about Texas. So there's a whole other class of DNS records that were added in, you know, if buffer were here, he'd be able to tell me he was RFC 6, 0 5, 3, or something. And it came out in 1998 that were added, you know, as the internet was developing, not it wasn't part of the original design.
So there's these other record types. And they have names like DNS and DNS key and our, our SIG and TLS. These are crypto group. This is the public key infrastructure of the DNS system. So most users in the leg. In a legacy system on let go, daddy, whatever you know about a records and C name records, these other type of records is, is where the cryptography happens.
So you can have a DNS record. That's a public key. We know what public keys are and how those work. You can have a DNS record. That is a cryptographic, right? And so right off the bat, you know, so your public keys and a record called DNS key DNS, K E Y. That's a DNS record type that has your public key. The signature is in a record type called R R S I G.
And you know, you can find this stuff easily online. You can, you can look up in our RSA so I can, um, look up the record for Mike mceleney.com and see a signature there. And then I can look up the public key. That's supposed to sign that signature. Post you have created that signature and verify that the record was signed by the key that belongs to Mike Nicholina while I know that that key belongs to my Kundalini because that key has its own signature signed by icon, or, you know, to be verbose signed by.com and then knock.com has a key that assigned by icon.
And I can has a key that is widely known on it. And again, the ICANN key, I walk into the stadium with it's, it's built into your computer. If you Google, I can ask 2017, you'll find it. Um, and that key by the way, is a hard-coded consensus parameter in handshake, because it's the root of how reserve name claims work.
Okay. If that key was hacked or revoked, handshake would have to abort her name claims. It's kind of interesting and that. If you've seen any of my talks about internet security, I've, I've shown the video of, I can, I can nerds their basement in LA and they got a safe and they've got yeah, hardware module and there's just like three hour long video.
They have this crazy process. It's it's, it's like when, when the captain and the SL on a nuclear submarine are going to launch, you know, they go through the whole protocol, they put their keys in at the same time, they got to do all this stuff exactly by the book. And it ultimately, I can tell. A private public key pair.
They sign the root zone, everything goes back in the safe and people can verify, you know, so that whole system of, of DNS of cryptography in the domain name system is called DNS sec stands for DNS security. And that's how I, when I get the record from Mike nicoline.com, I know that it is actually that assuming I trust both ICANN and.com.
And that key that I can key. The one that's generated in the basement in LA that is replaced by the blockchain in handshake. That is very specific. Targeted, you know, we're not trying to replace a whole, the whole system, you know, ENS is trying to replace the whole system. We're trying to replace DNS completely with IPFS and the Ethereum blockchain.
Great. We're just trying to, we're just, it's just got the bulls-eye scalpel head of a pin thread through the needle. Replacing one key, generated in a basement by ICANN. That's curious the DNS root zone and placing that by. So I don't need to trust. I can signature on something. What I do is I trust the blockchain.
I don't trust. I verify the blockchain. And from there I get the key from Mike and then I can verify the signatures online to make Eleni and so forth. So, right. So the, the baseball stadium we've covered DNS and certificate authority. And now back in the handshake world, I've explained how. How the handshake blockchain replaces the security just on the DNS side.
And now we're ready for Dane. Are we ready for Dane? Let's do it, man. Let's do it. Okay. All right. This is great. There's one more record. I haven't mentioned yet, which is called T L S a M. The TLS part of that symbol probably stands for transport layer security. Whereas like you're saying, there's TLS and SSL and HTTPS for our purposes.
Those are all the same thing you should just know in your web browser. If you see HTTP. You are not secure. That's just hypertext transfer protocol. When you see HTTPS, the S stands for security and that S usually comes from certificate authority. It means that the certificate has been verified and we're using it.
Okay. So there's another DNS record called TLS a and it is the hash of your public key. It's basically like an address, like a Bitcoin address or a handshake address. It's a hash of your public key, and we assume it has to be signed. By your DNS key. And those are all DNS records just in the DNS system.
VACU has to be signed by, you know, the parent key and Macky has to be in the handshake group zone and secured by proof of work. So we have proof of work securing your key. And then your key signs, this TLA S T L S a record, which is just a hash. Um, so I look up your name. We're using handshake using a DNS resolver rooted in handshake.
Now I know your IP address and I know your T L S. Great. So now I go, I send a message to that IP address, and I say, Hey, I'd like to connect to you securely. You send me back a public key. If the public key you send back does not match the TSA record, which I've already verified, you know, signature wise, cryptographically speaking.
If they don't match, we're done. I'm out of here. The browser, the browser shows the user an error and you have to click a couple extra options to be like, yes, I want to look at the site insecurely, even though I know it's. If you're running a fingertip, or if you're running, let's Dane connected to a secure handshake resolver, you'll get that green lock in your browser because we've basically trick the browser.
And I'll explain how that works too, in a second, but that's Dane. So we combine this idea of certificate authority rooted in these certificate keys that are just installed in my system instead of installing keys in the city. Wipe that out completely. We trust a chain of signatures in starting in the handshake, blockchain.
There's a key in the blockchain. That's a DS record. That key signs, another key, which has another key or whatever, which signs a TSA record. And that's the LSA record matches the certificate I got from your web server. And that's how the two systems are brought together using handshake and how we can not only bypass ICANN with handshake, but also bypass certificate authority and create a secure browser.
Got it. I just did a quick Google search and I'm valued at 81 million in 2019. The global certificate authority market sizes expected to grow by 12.3% in 2020 to 2030 to get to 285 million by 20 30, 280 5 million. Oh yeah. That's what they think is going to be. It doesn't sound like that much, but for them, I don't know.
I mean, we're talking about the entire internet, right? Yeah. The I'll I'll I'll link this and I'll try my best to do some market research, you know, from a Google search, I guess. I don't, I don't even know what a lot of money is anymore. Maybe that, maybe that is a lot of money. I don't know. Yeah. Okay. Yep. So 15 and then, you know, I'm sure people will say, okay, okay.
You know, A lot of people is still, everybody just wants to get adoption in the browser. Right. So some people say like, can't, we just kind of get it working without the S for a while and then add the S okay. Great. Great, great, great, great, great, great. Okay. Don't do anything insecurely on the internet, just don't.
Why would you do that? Don't do it. Or would you go, would you type your bank account password into a website that wasn't secure? Like we take the security for granted. The computers we buy have gone through all the effort to provide us with this convenience. So we don't even have to think about it, but like, you know, I, I remember when I started using the internet in the nineties, I would never enter a credit card into a website.
Are you kidding? You would lose all your money. Like obviously you can't buy anything online. That's crazy. Now security is, is, is common. And if it's common and convenient because of authority, you know, that's the easiest way. To make security convenient is you just have a gatekeeper and, you know, they have the reputation, you know, if, if, if apple computers started installing fraudulent certificates and all of a sudden you can browse on an apple computer because it was so insecure, they would lose a reputation.
Okay. So that's like the, the check and the balance. So. All right. So let's talk about security. Here's what I've been saying. Kind of, since the beginning about this stuff. Handshake is fun. And you know, if you want to have a de-link or put a website on your name without security, boy, that's fun. And you can go look at HTTP colon slash slash Michael Nicoline and see a website there.
And like, that's great, but I hear it. Here. Here's the title of the video. Okay. There is no business without security and there is no value without business. Okay. You don't have to call the video that that's just, that's my mantra. That's what it comes down to. If you want to have a fun website without security, that's great.
You know, back. My cousin and I used to have a lemonade stand. We'd go out on the corner. We'd sell lemonade for 10 cents. Nobody bothered us. It was in totally insecure business. We could be ripping people off. I think sometimes I would take more than 50% of the cash at the end of the day, you know, just like it's, it's sure it's fun, you know, to have a lemonade stand, but if you want to exchange Bitcoin for handshake, or like, if, if you want to, if you want to post a secure, like we're, we're, we're having a democratic revolt in Iran and we're gonna meet at this place.
Like, oh, you don't want that. Screwed with, you know, or if you're going to have the credit card number or password, like I built proof of concepts, which might might've been one of the first, I don't think it was the first day secured website on handshake. One of the first five. It was the first interactive usable.
Cause I accept passwords. You can log in to proof of concept. You can create an account, create a password and use that password to log in and post your tweet. And I would not accept your password if the website wasn't secure, you know, it's fun. It's not a very, not a very useful website, but the concept I improving there is.
I had a reason for security, you know, at a reason if, if, if I want you to log in with your password and I'm going to give you a Bitcoin address to pay me like that has to be secure. Otherwise, a man in the middle is going to replace that Bitcoin address with their own and you'll send money to it. And I just won't get paid and someone else gets the money.
That's not fair. Or someone will just ups that, that, that man in the middle will listen to your password. Now they know your password. They log in, they, they tweet on your behalf. I am making lenient. You know, that's not fair. So that's what I mean. Like, if you want to do business on a website, you gotta be secure.
Otherwise you you'll lose all your business. You'll lose your money. If people want to invest in you, you will, you won't have customers. You'll be humiliated on Twitter. Business requires security and businesses where we get value. So everybody should on handshake should be looking into how to secure their websites because to give handshake value, we need people running businesses on handshake.
Important things, not the lemonade stand. Okay. That's my soap. You know, that's my brand. That's that's, that's good, but it's I don't want, I don't know what to call it. Maybe it correct me, but it seems like almost a chicken or egg maybe if, I mean, it makes the barrier for a mass adoption at browsers bigger.
Hurdle because we need Bain. And then I know maybe we can also talk about potential Alliance and I don't know how that's going, or it's not just handshake. That should be in that let's let's let's land this plane. Cause I know like the, this has all been set up to talk about. Yeah. It's just leaning towards, right.
So let's let's land this plane. Okay. So the way that's browser security works now is that first model where there's there's DNS and then there's certificate authority. So the browser makes sure that the certificate I get from the web server is signed by something that the operating system trusts. So what we need from a browser is to not just trust the certificate authorities in the system, but to do Dame, basically to look up that TLS record, verify the signature.
And verify that the key that is signing the TSA record is in the handshake blockchain. Then we could get secure browsing easily in a browser to the handshake domains, using everything we've already described. So how does let stay in work or fingertip is like the easiest, um, the easiest way now, because buffer did an amazing job making security a lot more convenient.
So you had impervious.com/fingertip. You can. This, this menu bar and it runs two programs. It runs H and S D, which is a handshake name, resolver light client. And it runs less Dame, which is the, um, the Dane validating proxy. And I'll describe both of those things, but, so it's kind of funny, like you got these two programs, cause like I've been saying there's like the name resolution stuff, and then there's the certificate authority and that's why there are two different pros.
Wrapped up in fingertip. So H and S D probably a lot of people already know it's it, it, it verifies the block headers from the handshake blockchain, it gets Urkel tree proofs. So when you ask H and S D for a T um, top level domain, it gives you the data that is in the handshake. Blockchain. You can verify that as in the handshake blockchain, you don't need to download the whole blockchain.
It's very lightweight, very bright. Most of the design of, of handshake and described in the white paper is for this light client to work as easily and conveniently as it does. So using H and S D basically we, we get the IP address and we get the key and we can verify the TLS bay record is correct then.
So, uh, last name is the brilliant part. So what let's Dane does is it is a man in the middle proxy that stain generates a certificate. Okay. Okay. The user has to install that certificate either in their operating system or Firefox has a very awesome feature where you can install a certificate just inside Firefox.
And this is a certificate that you're walking into the baseball stadium with. You're trusting it. Um, you can trust it because you generated it yourself on your own computer, using let's Dane, which is open source. And you can read the code and verify that it's not doing anything bad. So you. You, you, you are now a certificate authority.
It's like, you know, that, that meme where the pirate is like, I'm the captain. Now I am the certificate authority. Now look at me, I have generated my own certificate and we hand that certificate to let stain or fingertip. And then we, he becomes a man in the middle. So the way it works with Firefox Firefox also has this awesome option called where you can set a proxy information.
So what that means is that Firefox sends all of it. Entire internet connection, basically just from Firefox every message that leaves Firefox goes directly to fingertip first, instead of going out to the internet and fingertip is a man in the middle, it, it, it it's running on your computer. So it's not, it's not an attacker on the internet, but it basically is on your computer.
And it basically doesn't man in the middle attack, it goes out to proof of concept and gets that certificate and verifies. The Dane using the records from the handshake blockchain. And if it's valid, then let's deign replaces the certificate with its own. And the browser says, oh, proof of concept. This website is signed by the certificate that the user has just installed.
So I trust it. And you get that green lock in the brown. So just to recap what fingertip or lets Dane does, is it, it generates a tiny little certificate authority just for you and it monitors all your internet activity coming in and out of Firefox. And it verifies Dane verifies that the certified. And the web server that you're getting is, is signed by records in the blockchain, and then basically tricks Firefox by it.
Doesn't trick Firefox. It's a certificate authority and signs, you know, create the signatures that Firefox, trusted, just like a trust there. Assign Veritas, CloudFlare let's encrypt. Got it. Yeah. So this is the awesome part about him. And we talk about certain people who represent the Ethereum name, service that love to brag about how many integrations they have.
One of the integrations that, that they are recently bragging about is fingertip, which is now on the ENS website, because you can, you know, it actually talks to ENS. It's part of our hip five deal. Does handshake need integrations? I just described how fingertip works. I'm using it right now. I didn't need brave to add anything.
I didn't need Firefox to add anything. This is the awesome, like the, oh, I feel it in my gut. When I think about it, how cool the design of handshake is, we don't need these integrations. Like you can just, and you just install the software on your computer. And honestly, like, even if brave. All right. So we can talk about the options presented by the browsers in a second.
But my point is we don't need the integrations. There's this extra little. Basically that proxy, sir. If what we would need from a browser is this two I'll take that let's stain proxy server and just install it inside. Firefox, make it one step easier instead of falling Firefox. Instead, instead of installing Firefox and fingertip, you just install Firefox or you just installed brave and it doesn't need the man in the middle of proxy.
It just does the verification internal. Right. So, and you know, it's great people like, oh, which browser do I need for handshake? You guys have a special browser just for handshake. You know? Like, is it like tour where you get a special browser just to access the network? No, use a browser. You already have.
I got all my browser set up. I got different accounts, different bookmarks saved in each browser. Like you just install handshake on your computer and all the browsers work with handshake and without certificates. Is that understandable to technology-wise like how the model works, but I know I'm thinking and others are thinking it's all, you know, obviously people are lazy.
Mass adoption is not going to install an even a simple plugin. It needs to be default. I mean, for real mass adoption, you know, it has to be sure. Okay. Okay. So, and you know, like disruptive technology, decentralized technology, like yoga, I could ask the, I don't want you to answer this, but like, you know, do you run a Bitcoin full node?
Do you have a Bitcoin wallet? Like you're you, you, you know, you got a ledger, right? You just put it, held up to the camera, like people who are watching this video, like, do you use Bitcoin? How do you use it? Do you just have a Coinbase account? Like that's. Is that mass adoption though? Are you really using Bitcoin Satoshi Nakamoto would say no that people who work on Bitcoin core and work on Bitcoin wallets where you control your own private keys would say no.
So, you know, when it comes to adoption security, mass adoption, these things like I can see the effort from entities, like main base, doing incredible work, spreading the good word about handshake and educating people doing terrible. Uh, security wise from name basis perspective. Mass adoption is more dealings, more accounts on name base.
And I guess that's it. I mean, welcome dot MB is not secured by Dame. Like somebody could run a man in the middle attack and replace welcome dot and be with, you know, whatever they want. And of course, welcome dot MB doesn't matter. And a user data. I mean, when am I going to go to HTTPS colon slash slash name base and enter my password and, and enter my credit card information and make purchases to a secure, you know, name base is all about handshake.
They love telling everybody about handshake and they're doing a great job getting mass adoption, but, but they're not really using it themselves. Are they? So, yeah. I've just decided this is going to be like my role in this community. Cause I don't see very many other people doing it. I'm going to be the guy who is a stubborn brat about security and rejects everything else.
There's plenty of other people out there spreading the good word about handshake and getting up dealings and, and talking about I cannot certificate, you know, like all that kind of stuff, but I'm going to be the guy that is, that is not going to budge on I'm dying on this hill. Like antique is, is security.
Software cryptocurrency is security software. You got to run it yourself on your own computer. That's the whole point. I got two big rants for me in one video. That's amazing. I mean, that's why I wanted to do this one. That's why I think it's important. I know we're at, we're getting tweaked. This it's always great, great insights.
I know we both got to get going soon, but yeah. Should we finish up just talking about like the, the status of, of browsers? Yeah. I feel like, you know, I mean, I it's kinda become my, especially with that uproar on Twitter a couple of few months ago, I still feel like I kind of want to try it. Yeah, close though.
Move it closer. Okay. So let's talk about brave. Let's talk about unstoppable domains and ENS. If you look at brave source code, the buffer actually found this link for me, it's clear as day and I've sent it to a lot of people on telegram and stuff. They ha there's this, there's this area of the brave source code called decentralized domains or decentralized DNS or something.
It's basically. Okay. But if you look at the source code, it's like this. If the URL ends in dot ether, then request the DNS from HTTPS cloudflare-eith.com. If the domain ends in dot crypto, then look it email@example.com and. That is the opposite of decentralized legacy, DNS legacy certificate authority, centralized gateway.
That is what decentralized DNS means to brave at this time. So the reason that, you know, and when Brandon, I said, Hey, go ahead and open a pull request. We'd love to see it right. What they want w with what they want is something like this. If you were all ends in dot H and S then look up the DNS record from https.name based on that.
Centralized gateway legacy, DNS legacy certificate authority, mass adoption. Sure. That everybody can go to HTTP colon slash slash MC Meline in brave without installing any extra software and they can get that name resolution. Is there transport layer, security, HTTPS SS. No, there's no certificate authorities that sign certificates for pancake names.
And it's the same with ENS and unstoppable domains. This is why like we all need Dane, everybody unstoppable domains, ENS handshake, yet butterfly protocol dot BTC, which runs on the stack side chain on top of Bitcoin. Like any, all these decentralized domain name systems cannot get certificate authorities.
To sign their certificates. We all need something like Dane. And so, you know, I recently saw a tweet where somebody went to Brantley dot ETH and brave, and it's HTTP. It says not secure. Well, what are we doing here? People, are we using blockchains for security? Are we trying to fight the power here? Are we trying to avoid censorship?
You know, if, if, if Brantley dot E. Going to post the meeting place for our democratic revolution inside of your name, your oppressive country here. And we go, and we look at that website and it says, oh, you know, the meeting's over at this place. And we go, and it's a trap, you know, like, It's sure it's fun.
Dealings are fun. Brantley dot eith is a great place to see a link to his Twitter and whatever quotes in his images he wants to add up there. It's just very fun. Do I trust the data? I'm looking at, know what I send Bitcoin to an address I saw on that website? No, of course. If theorem has this other way of adding cryptocurrency addresses, which is more secure because it's in the blockchain, but we're just talking about the web browser now.
And so this is why I'm pushing so hard for security. And this is also why it's so hard for browsers to do what we want. You know, w w what brave wants is a centralized gateway to resolve handshake names. And it's hard because we don't do dot HNS. We, it makes it very hard for brave. They would have, they would need a list of pancake domains or list of the ICANN domains, and maybe look up the top level domain if it wasn't on the list.
And so implementation wise, that's hard, but, you know, like, I wouldn't pay brave any money. I wouldn't recommend anybody in the community pave any browser developer money just to get that name resolution, because they're probably going to do it like this. You know, they're going to do it with a centralized gateway.
And, and again, like if there's people who think that mass adoption is more important than business or like value the way that I'm describing it. Go ahead. I'm just not going to participate in that. I'm going to be over here, dying on my hill, which is security activism, subversion, decentralization, you know, empowering the user stuff that gets them fired up.
Yeah, I understand this cool too. I'm here as well. I'm doing this. I know. I appreciate it, but I guess, you know, it's again a thought I'm thinking and I'm sure others. I feel like maybe there's a step one, step two, you know, like his buddy, you know, you're going for it. You're going for the goal. You know, you're going for the, the hail Mary kind of you're going you're like all or none.
It seems like, right. I mean, it doesn't it's, I mean, I, I know what you're asking and like I've already said it a dozen times in this video. It's not all or none. I understand. There's this middle point where we could have mass adoption, but yeah. It's just the fun. It's the lemonade stand. It's the de-link it's the like, look, I have a profile picture.
You know, it's not business though. Web 1.0 was no SSL. Wasn't. Even that long ago, I was starting to figure out how to get HTPs, Google. Wasn't going to index HTTP sites anymore. Even if you, they used to just say any SSL on checkouts credit cards. I remember I had never like made sub domains, like checkout dot or shopped on.
And my. Www is just content. And, and I had to send them to a checkout page, or I even send them to a, a website outside of my own domain for the checkout process. And it was spit back to my site leaving like PayPal, right. PayPal. I mean even original web wasn't secure, and then it became secure. So I mean, yeah.
Yeah. And you know, like I said, if you talk, if you find yourself some of the gray beard hackers that were around. They'll probably tell you. Yeah, we, we should've had transport layer security from day one. Like it's just, we have the high insight of how the internet works. Now we know there's ha we know there's hackers, you know, we know that there's cryptography in that it's, it's accessible and easy and yeah.
You know, I don't know what else to say. Like, I, I, I hear you. And if, if, if you represent an organization, that's got a couple hundred K you want to throw it at opera to get handshake resolution. Going, even if it's just the lemonade stand going through a centralized thing, just so people can look at the website, HTTP Mike McQueeney and be like, that's cool.
I, I mean, I love it. That'd be great. People will. I can't bring myself to say it. People will think they're using handshake and there'll be fun. And maybe that'll encourage people to look into it more and bring them into the computer, into the community and learn more. And maybe somebody will be like, wow, this is fun, but how do I build a business on this?
Or how do I add revolutionary content to a website that it needs to avoid censorship? And that's when security will become more important. So, you know, Thank you for spreading the word and trying to bring people into the community and to Navy base as well. Obviously, you know, like we, we need people to get interested in it and fun stuff is, is a good way to get people interested in it, but I'll be over here.
All right. Thanks buddy. No, you're doing great. We're all in this together. And you know, Is great and named bass and he he's reminded us sometimes there's just debates, but I think we're all trying to get to the same goal and that's what really matters. So I know, I know, actually we both got to go. So let's maybe any kind of links, you know, we mentioned fingertip impervious.com/finger tip, which will give you deans or SSL on handshake on any browser.
For, I believe, right. Or is it in Firefox? Firefox has these options too, to add a certificate and a proxy server just in Firefox. So it won't affect any other program on your computer. There's also a video out there from a community member named Janie Payne and he illustrated how to use fingertip with Chrome and safari.
He installed this, that, that fingertip certificate at the operating system level. Yeah. Okay. And. Finding you, you know, you're finding, you know, more stuff, I guess obviously handshake.org is day of official protocol sites. And then your urinal era you're everywhere. So people find you in the telegram groups in other places.
Yeah. If you just go outside your house and yell, tell me something about handshake, huh? That's perfect way. And thanks again, Matt. All right. Thanks so much, Mike. Great talk. Cheers. .