Abstract
A central problem on the Internet today is that key infrastructure for security is concentrated in a few places. This is particularly true in the areas of naming and public key infrastructure. Secret services and other government organizations can use this fact to block access to information or monitor communications. One of the most popular and easy to perform techniques is to make information on the Web inaccessible by censoring or manipulating the Domain Name System (DNS). With the introduction of DNSSEC, the DNS is furthermore posed to become an alternative PKI to the failing X.509 CA system, further cementing the power of those in charge of operating DNS.
This paper maps the design space and gives design requirements for censorship resistant name systems. We survey the existing range of ideas for the realization of such a system and discuss the challenges these systems have to overcome in practice. Finally, we present the results from a survey on browser usage, which supports the idea that delegation should be a key ingredient in any censorship resistant name system.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Greenwald, G., MacAskill, E.: NSA prism program taps in to user data of apple. Google and others, The Guardian, June 2013
Times, R.: Post PRISM: encrypted communications boom after NSA leaks. http://www.youtube.com/watch?v=JJY3EXVdyiM (2013)
Schmid, G.: Report on the existence of a global system for the interception of private and commercial communications (ECHELON interception system). European Parliament Session Document 2001/2098(INI), July 2001
http://politi.dk/: Fejl blokerede internetsider kortvarigt. http://goo.gl/beQFm (2012)
Anonymous, : The collateral damage of internet censorship by dns injection. ACM SIGCOMM Comp. Comm. Rev. 42(3), 22–27 (2012)
European parliament: resolution on the EU-US summit of 28 November 2011 P7-RC-2011-0577, November 2011
The OpenNet initiative. http://opennet.net/ (2013)
Stallman, R.: Why software should not have owners. http://www.gnu.org/philosophy/why-free.html (2012)
Wilcox-O’Hearn, Z.: Names: decentralized, secure, human-meaningful: choose two. http://zooko.com/distnames.html (2006)
Mockapetris, P.: Rfc 1035: domain names - implementation and specification. Technical report, Network Working Group, November 1987)
Dingledine, R., Mathewson, N., Syverson, P.: Tor: The second-generation onion router. In: Proceedings of 13th USENIX Security Symposium, August 2004
Sai, A.F.: Mnemonic.onion urls. http://goo.gl/aOpKo (2012)
Stiegler, M.: An introduction to petname systems. http://www.skyhunter.com/marcs/petnames/IntroPetNames.html (2005)
Rivest, R.L., Lampson, B.: SDSI – a simple distributed security infrastructure. http://groups.csail.mit.edu/cis/sdsi.html (1996)
http://dot-bit.org/: The Dot-BIT project, A decentralized, open DNS system based on the bitcoin technology. http://dot-bit.org/ (2013)
Faltstrom, P., Hoffman, P., Costello, A.: RFC 3490: internationalizing domain names in applications (IDNA). Technical report, Network Working Group, March 2003
Foundation, F.S.: The GNU C library - system databases and name service switch. http://goo.gl/gQY0w
Hoffman, P., Schlyter, J.: The DNS-Based authentication of named entities (DANE) transport layer security (TLS) protocol: TLSA. IETF RFC 6698, August 2012
Polot, B.: Adapting blackhat approaches to increase the resilience of whitehat application scenarios. Master’s thesis, Technische Universität München (2010)
Mittal, P., Caesar, M., Borisov, N.: X-vine: secure and pseudonymous routing using social networks. CoRR abs/1109.0971 (2011)
Evans, N., Grothoff, C.: \(R^5N\): randomized recursive routing for restricted-route networks. In: 5th International Conference on Network and System Security, pp. 316–321 (2011)
Douceur, J.R.: The Sybil attack. In: Druschel, P., Kaashoek, M.F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 251–260. Springer, Heidelberg (2002)
Schanzenbach, M.: A censorship resistant and fully decentralized replacement for DNS. Master’s thesis, Technische Universität München (2012)
Acknowledgments
This work was funded by the Deutsche Forschungsgemeinschaft (DFG) under ENP GR 3688/1-1. We thank everyone who submitted information about their browser history for our study of surfing behavior. We thank Jacob Appelbaum, Daniel Bernstein, Ludovic Courtès, Ralph Holz, Luke Leighton, Simon Josefsson, Nikos Mavrogiannopoulos, Ondrej Mikle, Stefan Monnier, Niels Möller, Chris Palmer, Martin Pool, Richard Stallman, Neal Walfield and Zooko Wilcox-O’Hearn and the anonymous reviewers for FPS’2013 for insightful comments and discussions on an earlier draft of the paper. We thank Krista Grothoff for editing the paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Wachs, M., Schanzenbach, M., Grothoff, C. (2014). On the Feasibility of a Censorship Resistant Decentralized Name System. In: Danger, J., Debbabi, M., Marion, JY., Garcia-Alfaro, J., Zincir Heywood, N. (eds) Foundations and Practice of Security. FPS 2013. Lecture Notes in Computer Science(), vol 8352. Springer, Cham. https://doi.org/10.1007/978-3-319-05302-8_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-05302-8_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-05301-1
Online ISBN: 978-3-319-05302-8
eBook Packages: Computer ScienceComputer Science (R0)