SANE – Stateless DANE for Trustless Domain Security

There is still building going on in the midst of the Hard Fork Handshake discussions and even some drama - building is still going !

And this is a big one - Stateless DANE.

Here is the information for getting familiar with this technology

More info on SANE

Alexander's (randomlogin) announcement:

Hi everyone!
I've published a release for a new version of fingertip which uses stateless DANE protocol.
Release has both build instructions and binaries for linux and macOS.
I would be happy if you try it and report if something works wrong.
After short time of beta testing I will ask the maintainers of original repository to merge the PR and sign the binaries.

Release link: https://github.com/randomlogin/fingertip/releases/tag/v0.0.4-beta1

Announcement from HNS Broker
https://x.com/hnsbroker/status/1831421004368998822

Announcement from HNS Broker

More information about it - From Github

https://github.com/randomlogin/sane

Stateless DANE
This repository contains code for proof-of-concept client implementation of stateless DANE.
Server part can be found here: https://github.com/htools-org/stateless-dane.
Based on letsdane.

How it works
Similar to letsdane, it sets up a proxy server which listens for incoming connections, resolves the hostname, checks if the provided certificate is correct and then outputs a self-signed certificate (signed by local certificate authority which has to be added to the browser's trusted ones).

hnsd
Internally it uses hnsd to sync tree roots. The initial syncronization might take several minutes. Afterwards, using checkpoints, hnsd has to syncrhonize last ~2k roots which usually takes 5 seconds. After synchronization, hnsd is terminated.

Internal hnsd daemon has 5350 as a default port.

Fingertip New Release now has SANE by default

https://github.com/randomlogin/fingertip

Fingertip
Note: This project is experimental use at your own risk.

Fingertip is a menubar app that runs a lightweight decentralized resolver to resolve names from the Handshake root zone. It can also resolve names from external namespaces such as the Ethereum Name System. Fingertip integrates with sane to provide TLS support without relying on a centralized certificate authority.

For handshake domains fingertip can be thought as a user-friendly wrapper of SANE, it uses hardcoded community-hosted external proof services, and DNS over HTTPS for name resolution. An advanced user is welcome to use sane directly.