Giters

cojapacze / dnssec-hsts

Upgrade HTTP to HTTPS (simulating HSTS) for websites that support DANE. (WebExtensions component.)

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

DNSSEC-HSTS

DNSSEC-HSTS is a WebExtension that upgrades HTTP to HTTPS (simulating HSTS) for websites that support DANE (i.e. websites that list a TLSA record for TCP port 443). This is a reasonably good heuristic for preventing sslstrip-style attacks.

This code is experimental.

Installation

Firefox

You'll first need to install the native (Go) component of DNSSEC-HSTS. Then, if you're on GNU/Linux, do this:

git clone https://github.com/namecoin/dnssec-hsts.git
sudo rm -rf /usr/share/webext/dnssec-hsts/
sudo cp -a ./dnssec-hsts /usr/share/webext/dnssec-hsts
sudo ln -s -T /usr/share/webext/dnssec-hsts "/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/dnssec-hsts"

You may need to restart Firefox, and/or enable the extension in the Addons dialog. You're done!

If you're on another OS, you'll need to disable XPI extension signature checking in Firefox. Then, do this:

git clone https://github.com/namecoin/dnssec-hsts.git
cd dnssec-hsts
zip dnssec-hsts@namecoin.org.xpi

Then open dnssec-hsts@namecoin.org.xpi in Firefox, and accept the extension installation dialog.

Tor Browser

Follow the Firefox instructions for non-GNU/Linux OS's, even if you're on GNU/Linux. You're done!

Chromium

You'll first need to install certdehydrate-dane-rest-api.

Then, if you're on GNU/Linux, do this:

git clone https://github.com/namecoin/dnssec-hsts.git
sudo rm -rf /usr/share/webext/dnssec-hsts/
sudo cp -a ./dnssec-hsts /usr/share/webext/dnssec-hsts
sudo ln -s -T /usr/share/webext/dnssec-hsts /usr/share/chromium/extensions/dnssec-hsts

If you're on another OS, look up how to install unpacked extensions in Chromium.

Other browsers

I have no idea whether DNSSEC-HSTS works in browsers besides Firefox and Chromium. Test reports welcome!

Warnings

DNSSEC-HSTS trusts your DNS resolver, and the network path to it. This is perfectly fine if your DNS resolver is running on localhost (e.g. if you've installed DNSSEC-Trigger locally), but this is definitely not a good idea if your DNS resolver is operated by your ISP.

License

DNSSEC-HSTS is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

DNSSEC-HSTS is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with DNSSEC-HSTS. If not, see https://www.gnu.org/licenses/.

The Namecoin logo is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of the license, visit https://creativecommons.org/licenses/by/4.0/.

The author strongly condemns the extension TiVoization implemented by certain versions of browsers such as Chrome and Firefox. Although the GPLv3+ license permits you to use or distribute DNSSEC-HSTS in conjunction with extension TiVoization systems, the author will not provide support to users who engage in such practices.

About

Upgrade HTTP to HTTPS (simulating HSTS) for websites that support DANE. (WebExtensions component.)

License:GNU General Public License v3.0

Languages

Language:JavaScript 94.9%Language:HTML 5.1%