TLS Positive Overrides

Firefox for Windows can be used with Namecoin for TLS positive overrides; this allows certificates for .bit domains that match the blockchain to be used without errors. Instructions:

  1. Find your Firefox profile folder; it will usually be a subfolder of %APPDATA%/Mozilla/Firefox/Profiles. For example, %APPDATA%/Mozilla/Firefox/Profiles/r3a8ono6.default. Note that you must use forward slashes, not backslashes.
  2. Make sure that your Firefox profile folder is readable and writeable by the user who is running ncdns. If you installed ncdns via the installer, ncdns is run by the user NT SERVICE\ncdns.

  3. Add the following to ncdns.conf, substituting your Firefox profile folder for $PROFILEDIR:

    [tlsoverridefirefox]
sync=true
profiledir="$PROFILEDIR"
  4. Restart ncdns.

TLS positive overrides will only be synchronized to Firefox while Firefox is not running; this means that, every so often, you should close Firefox for a few minutes and then re-open it.

You can now visit in Firefox a .bit website that supports TLS, e.g. the Namecoin forum’s .bit domain. The website should load in Firefox without errors.

TLS Negative Overrides

Firefox for Windows can be used with Namecoin for TLS negative overrides; this prevents malicious or compromised public CA’s from issuing certificates for .bit domains. Instructions:

Important warning for users of TLS intercepting proxies: these instructions will probably cause your intercepting proxy to produce an HPKP error for HTTPS websites that use HPKP. Right now, Namecoin TLS negative overrides for Firefox are not compatible with TLS intercepting proxies that try to intercept HPKP-enabled websites. If you haven’t deliberately installed a TLS intercepting proxy, or if you don’t know what a TLS intercepting proxy is, you can probably ignore this warning.

Note: Installing Namecoin TLS negative overrides for Firefox might cause previously-unnoticed attacks against you, e.g. from malicious surveillance infrastructure, to produce visible errors (even if those attacks are trying to intercept non-Namecoin connections).

  1. Go to about:config in Firefox.
  2. Search for security.cert_pinning.enforcement_level.
  3. Double-click the security.cert_pinning.enforcement_level preference.
  4. Enter 2 and click OK.
  5. Search for security.cert_pinning.process_headers_from_non_builtin_roots.
  6. Double-click the security.cert_pinning.process_headers_from_non_builtin_roots preference until the Value column says true.
  7. Close the about:config tab in Firefox.
  8. Restart Firefox.
  9. Install the Visual C++ 2010 Redistributable Package.
  10. Install the Visual C++ 2015 Redistributable Package.
  11. Download mar-tools-win32.zip or mar-tools-win64.zip (depending on whether you’re on 32-bit or 64-bit Windows) from Tor’s download page.
  12. Extract the following files from the mar-tools zip to a new mar-tools-32 or mar-tools-64 (depending on whether you’re on 32-bit or 64-bit Windows) subdirectory of the directory where tlsrestrict_nss_tool.exe is:
    • certutil.exe
    • freebl3.dll
    • mozglue.dll
    • nss3.dll
    • nssdbm3.dll
    • softokn3.dll
  13. Rename certutil.exe to nss-certutil.exe.
  14. To recap, if tlsrestrict_nss_tool.exe is in C:\Users\Edward\Downloads\tlsrestrict_nss_tool.exe on 64-bit Windows, then there should also be C:\Users\Edward\Downloads\mar-tools-64\nss-certutil.exe.
  15. Create a temporary directory; make sure that it only is readable/writeable by a user whom you trust with access to the Firefox certificate database. Note its path; make sure you use forward-slashes instead of backslashes, and leave off the trailing slash.
  16. Find your NSS directory; it will usually be a subdirectory of %APPDATA%/Mozilla/Firefox/Profiles. For example, %APPDATA%/Mozilla/Firefox/Profiles/r3a8ono6.default. Make sure you use forward-slashes instead of backslashes, and leave off the trailing slash.
  17. Find the directory where nssckbi.dll is located. This will usually be C:/Program Files/Mozilla Firefox. Make sure you use forward-slashes instead of backslashes, and leave off the trailing slash.

  18. Run the following, substituting the temporary directory, NSS directory, and CKBI directory for $TEMP_DIR, $NSS_DIR, and $CKBI_DIR:

    tlsrestrict_nss_tool.exe "--tlsrestrict.nss-temp-db-dir=$TEMP_DIR" "--tlsrestrict.nss-dest-db-dir=$NSS_DIR" "--tlsrestrict.nss-ckbi-dir=$CKBI_DIR"
  19. Wait a few minutes for tlsrestrict_nss_tool to finish running.

You’ll need to rerun the above tlsrestrict_nss_tool command whenever the built-in certificate list is updated. You won’t need to redo the about:config steps, though.

If you’ve manually imported any non-built-in TLS trust anchors to Firefox, and you want to restrict them from intercepting .bit traffic, you should do the following for each such trust anchor:

  1. Get a DER-encoded certificate of the trust anchor.

  2. Run the following, substituing the path to your trust anchor certificate for $CERT_PATH:

    cross_sign_name_constraint_tool.exe "--cert.input-root-ca-path=$CERT_PATH"
  3. 3 new certificates will be created: root.crt, intermediate.crt, and cross-signed.crt.
  4. Delete the existing trust anchor from Firefox.
  5. Import root.crt into Firefox; mark it as a trusted TLS root CA.
  6. Import intermediate.crt and cross-signed.crt into Firefox; do not mark them as trusted.

If you decide later that you want to remove the negative overrides from Firefox, follow these instructions:

  1. Run the following:

    tlsrestrict_nss_tool.exe "--tlsrestrict.nss-temp-db-dir=$TEMP_DIR" "--tlsrestrict.nss-dest-db-dir=$NSS_DIR" "--tlsrestrict.nss-ckbi-dir=$CKBI_DIR" --tlsrestrict.undo
  2. Wait a few minutes for tlsrestrict_nss_tool to finish running.
  3. If you want to restore compatibility with TLS intercepting proxies, follow these steps. If you don’t want to use a TLS intercepting proxy, or if you don’t know what a TLS intercepting proxy is, you probably don’t need to do this.
    1. Go to about:config in Firefox.
    2. Search for security.cert_pinning.enforcement_level.
    3. Right-click the security.cert_pinning.enforcement_level preference.
    4. Click Reset.
    5. Search for security.cert_pinning.process_headers_from_non_builtin_roots.
    6. Right-click the security.cert_pinning.process_headers_from_non_builtin_roots preference.
    7. Click Reset.
    8. Close the about:config tab in Firefox.
    9. Restart Firefox.

Screenshot

If a .bit HTTPS website uses a CA-signed certificate that doesn’t match the Namecoin blockchain, an error like this will be displayed:

start.fedoraproject.org uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported.