HandyCon 2025 | Day 2 - SANE deep dive - YouTube

Transcript:
(00:00) [Music] hello Alexander how you doing hey I'm fine do you hear me yes we can hear fine so hope you're doing well the floor is yours you can just share your screen and then we can get started okay so yeah I'm going to share my screen the whole the entire screen so oh no so today I'm going to well first of all I am Alexander I was a active contributor to the handshake several years ago and today I want to speak again about stateless Dane and it will be quite a boring and Technical choke so I even
(00:44) invite you to interrupt me to ask some questions or otherwise you can get sweety anyway so I want to first to post several Links of like what is stat ve basically I was working on on the application called same and what what does it do basically it does it allows you to brow headshake websites in a secure way uh so for example I can open uh website the shake and that is posted like in the handshake and quite an important thing is that my connection is secure and this security is provided via saying and stess day
(01:31) uh however to explain what what does it mean I I have to to to explore some some technical ideas so um we have we have the internet and the internet is a bunch of devices and computers that are interconnected with each other and uh when we open some website what we do is basically we connect to some particular device it doesn't matter whether it is a real computer or mobile phone or a data center it's some computer and to connect to be able to speak to it I need to understand where it is located and to do
(02:15) so people use the Internet Protocol it's a peer-to-peer network of nodes and they communicate with data messages to each other and it was developed like 50 years ago and it works perfectly up to now and however there is a problem is that in order to locate a particular computer a particular device we need to know its IP address and it's not very useful for human beings to type IP addresses into into the browser however it's a perfectly valid way to open a website uh how but still we use the domain
(02:56) names um so the domain names are at by DNS short for domain name system and on the contrary to the Internet Protocol it is verical and it uses client server model so it means that not not all of the nodes of this let's say Network they are equivalent to one another basically it allows us to translate IP addresses into he human readable names and vice versa and every time when I on some website actually my computer it queries some DNS server to to find out what IP I need to locate to to open some website and so they distributed and they
(03:46) have hierarchical that means that there are zones of responsibility and there are some servers that are responsible for let's say topl Lev domain.com and it has child subdomains and child sub DNS servers that are responsible for let's say example.com and so on and when I query some servers then if it doesn't know how to to locate the needed IP it queries another server and so on and so on um what is the problem with DNS in the very beginning DNS uh it is uh all the messages all the queries for DNS system they are not
(04:27) they're not signed and so they can be altered and actually it happened several times so it's possible to alter DNS information it's possible to make a fake DNS message and DNS response it it means that if you open some website and if you have connected to a fake DNS server it could respond you with some fishing website that will appear perfectly valid so you will have the uh the correct domain of this website in your browser and well you you can you can be fished and there are several ways to overcome
(05:05) this one of them was to have signed messages so each of the data server in the hierarchy they sign their own Zone and when they pass the messages to underline servers so each of them signs and it's possible to have a chain of verification that that can say that the the answer is is indeed so so so right now having all this stuff it's possible to say that given some website we can find some IP address that belongs to it so we achieved the moment that we can locate some some website um however there is a problem that we do not really
(05:50) connect to a website directly it's not feasible to have a pairwise connection between between each of the devices in the internet and so internet notes they they pass messages that have different destinations so we have intermediaries and the problem with that is that intermediaries actually they also can alter the message the data and um if the information from website is not signed then it's possible to be it's not possible to be sure that the origin is correct so it's a big problem and so the
(06:27) S here in the htps actually it uh it says to me that the connection is secure and all the information is signed between between me and the origin of of this website um this is so each of the websites they have their own public and private key and uh they sign the information with with some key and is transferred to me while some intermediaries and we have another big problem is that I cannot really identify that the key that was used to science information that it really belongs to the website so we need some kind of
(07:11) translation between some entities and the keys that they use this kind of translation is done by by certificate authorities actually it's some kind of let's say a company that states that some given key that is used to to transmit information to sign transmitted information uh that it that it is really belongs to to some entity let's say to to some company or maybe some person and the problem with certificate authorities is that well not a problem but their properties is that they have Universal domain of
(07:51) responsibility it means that a certificate Authority can create a certificate for any domain and for example there there are cases that when authorities were were given certificates to well let's say some some malicious parties and another thing is with them is actually trust them by default so for example the certificate authorities they are included into every operating system and into every browser so for example if I open just the default Firefox authorities I have really a huge list of authorities that I trust by default and
(08:35) I cannot be let's say sure about all of them so if there could be a way to to be sure that the key that is used by some website really belongs to that it would be it would be really cool and one of the solutions to is is to to use D basically what what it means means is to have information about the keys that I used to sign in in the in the DNS system so it's possible to have a record in the data system that will be that will be given by a DNS server that states that some particular website that is hosted
(09:20) in some particular IP address has some public key has some has some keys that is used to sign information basically it's what Dan stands for however it's not widely adopted by the browsers I think several years ago there was there was native support in Firefox and there were an extension in Chrome browser and after some years they actually they stopped support of it I'm not sure why but well it doesn't matter let's return back to the handshake and well we we also want to brow website into in the secure in a secure way and
(10:03) so we have to to also have some kind of ability to to assign keys to well let's say to websites and in handshake the blockchain is the unique source of up-to-date information that first of all it's it's it stores information about DNS like to which address we need to resolve which domain and uh so same is status version of day um handshake has a handshake blockchain has a tree route that stored like every 32 blocks into the blockchain and basically it Aggregates all the information about the domain domain there and it's
(10:52) possible to have a pro by some some cryptography stuff that quite a short proof that some website has a particular key andly there was a tool called fingertip and let's D I also post it to the chat and it it was also doing the same thing it it made it made ail possible to to brow hand check websites but the problem with that is uh that you had to have a con connection to a hsd well what is hnsd basically hnsd is the DNS server that resolves domains in the handshake Network and it's not that heavy however
(11:41) it's not possible to to include it into let's say mobile devices or web browsers so it's quite sourceful to to have its always running and for this there was developed a stat D protocol what what what does it do once a day it Reves all the all the tree roots that are stored in into the blockchain and stores them and when when I open some website this website they actually have a certificate that stores information about this proof and same it works as a proxy on your on your computer so I have a tiny mini bar here that can be
(12:30) well I just run as a usual application and it it works as a as a proxy it intercepts connection from you to to the websites and checks if the certificate is compliant with same and if all the information there is correct if so it substitutes a new certificate that you trust basically you you issue this certificate and you become your own certificate Authority one of the problems with this is actually to comply with same the websites they have to to have upto-date proofs that well that they have correct that they have some particular key and
(13:11) it may be a bit cumbersome to to set it up and for this there are several let's say external services that are hosted by by the handshake community and these Services they provide provide those proofs um there are some problems with with Windows version because hnsd it it runs in a bit different way well first of all it's really really hard to to run an hnsd on Windows and it like it behaves in in a bit different way it doesn't allow to to use it there but on M Linux well it works fine and what I
(13:54) done I guess last summer in 2024 is POs to change between the backand that is used to to browse websites so it's possible to switch to let D that uses HD like always it has Conant connections and it's possible to change to stat name what I also had here I had here well it's a scheme about what information is presented in certificate so on the left here we have like uh who had issued this certificate and on the right is a stateless D certificate that has actually an AR arle proof that that allows me to to verify all all the
(14:38) signatures and that the website has indeed has this public ke key that is used in the certificate um well here are some additional links how to generate server Ser par certificate I'll post it to the chat just in case if someone wants to have a complaint one and I think that's all I have well well fingertip is just a user friendly version of same and uh also I remember that I've added support of wild car certificate so it's possible to issue certificates that covers all the subdomains of some domain
(15:20) and as that I already told is the choice backs and I again want to thank pric Eric Hassan another and Andre for the help is in in the development of of say and I think that's all for me he Alex that was great Alex thank you very much we got the the mirror share here yeah yeah sorry sorry no worries we make fun of we make jokes at work that was that was very cool thank you thank you for the presentation we also got a few people pretty excited about it on on X we were sharing it let's see Santiago yeah there is a question in the
(16:01) chat well there is there are two versions of fingertip like the original one it uses let day that has to have like constant connection to to hmsd and I made requests well quite some time ago and unfortunately it has not yet been merged to the main branch so yeah I guess right now my finger tip is the only version that uses same got it got it thank you for that thank you for the clarification do we have any other any other questions while we have Alexander here one oh one in the QA Q&A sorry yeah developing their own browser
(16:44) can you share any insight into what implementing saying into their browser might look like in terms of cost and developer workload well the funest thing you're not the first person that the tries to do so and well it's really complicated and it really depends on the web browser I think that what talks about Brave browser I don't know like a year ago and it really depends on the developers of the browser like are they ready to to implement it but it's it's not that easy the biggest problem is actually to to be
(17:16) to be able to run hmsd like on each platform and to incorporate it like to the browser so well I I cannot I cannot say I have no idea about the cost but in amounts of time I don't know it's it's well let's say at least half a year work because like browers they have very complex rules about like what do they do in general is there something that that you would be interested in in working on potentially yes but I'm not sure that I have the right well the right Master let's say sorry one more time the right
(17:58) what that I have that I'm able to do so got it the time okay okay well we we got you on telegram maybe if someone's really motivated they can you guys can create some yeah yeah sure you you can pin me and if if I if I don't get on board or something else at least I can try to direct to some other people that posst the very same question got it is there is there something that you think is specifically holding San back from becoming more mainstream either on a technical level or well I still think
(18:32) it's a it's the browser adoption like it would be cool not to have like any additional application not to have any proxy but to have everything in the browser okay and if it besides the browser you really don't think that there's you think that the technical technical capabilities would would be enough for it to I'm not sure I don't know yeah okay what browser need to include Bob or another side app for HS yeah hnsd theoretically I'm just reading the question not the QI theoretically
(19:00) know if it was incorporated into the browser right yeah yeah yeah and that's so it's quite probable that you will have to mimic the behavior of hnsd like to rewrite hnsd into the browser compatible way to have it in as a not non Stalone let's say application or demon but to to be the part of the browser and W it's quite complex okay okay all right Alex thank you again [Music] this event wouldn't be possible without our amazing sponsors our bronze sponsors web foundation.
(20:02) X our community sponsors handshake Australia name base de centralizers hnsm Market thank you for your support in building a decentralized future