namecoin: Namecoin TLS for Firefox: Phase 6 (Negative Override Cache in C++, WebExtension Aggregation, and Coordination with Mozilla)


In Phase 5 of Namecoin TLS for Firefox, I discussed the performance benefits of moving the positive override cache from JavaScript to C++. I’ve now implemented preliminary work on doing the same for negative overrides.

The code changes for negative overrides’ C++ cache are analogous to those for positive overrides, so there’s not much to cover in this post about those changes. However, I did take the chance to refactor the API between the C++ code and the JavaScript code a bit. Previously, only 1 WebExtension was able to perform overrides; if multiple WebExtensions registered for the API, whichever replied first would be the only one that had any effect. Now, each WebExtension replies separately to the Experiment, and the Experiment passes those replies on to the C++ code. The Experiment also notifies the C++ code when all of the WebExtensions have replied. Although this does add some extra API overhead, it has the benefit of allowing an override to take place immediately if a single WebExtension has determined that it should take place, even if the other (irrelevant) WebExtensions are still evaluating the certificate.

Unfortunately, at this point I merged upstream changes from Mozilla into my Mercurial repository, only to find that there was now a compile error. I’m still figuring out exactly why this compile error is happening. It looks like it’s unrelated to any of the files that my patch touches; I suspect that it’s due to my general lack of competence with Mercurial (Mozilla’s codebase is the first time I’ve used Mercurial) or my similar general lack of competence with Mozilla’s build system.

So, until I actually get the code to build, I won’t be able to do performance evaluations of these changes. Hence why there are no pretty graphs in this post.

Meanwhile, I reached out to Mozilla to get some feedback on the general approach I was taking. (I had previously discussed high-level details with Mozilla, but this time I provided a WIP code patch, so that it would be easier to evaluate whether I was doing anything with the code that would be problematic.) This resulted in a discussion about what methods should be used to prevent malicious or buggy extensions from causing unexpected damage to user security. This is definitely a legitimate concern: messing with certificate verification is dangerous when done improperly, and it’s important that users understand what they’re getting when they install a WebExtension that might put them at risk. That discussion is still ongoing, and it’s not clear yet what the consensus will arrive at.

(It should be noted that there are some alternative approaches to Firefox support for Namecoin TLS underway as well, which will be covered in a future post.)

This work was funded by NLnet Foundation’s Internet Hardening Fund.

Original article was created by: namecoin at

Disclaimer: This article should not be taken as, and is not intended to provide, investment advice. Please conduct your own thorough research before investing in any cryptocurrency or ICO.

One more thing you may be interested in:

Interested in Cryptocurrencies and ICO's?

Follow our telegram channel for daily cryptomarket reports!

Join @cointrends

Stay on top of Altcoins and ICO trends.

Subscribe to our free Weekly Cryptomarket report

Delivered once a week, strongly to your inbox.

Subscribe to our mailing list
May 21, 2018

More Fun with tlsrestrict_nss_tool on Windows

Last episode: When we last left our hero, tlsrestrict_nss_tool had a few unfixed bugs that made it unusable on Windows. Everyone believed those bugs would be the final ones. Were they? And now, the conclusion to our 2-part special: Spoiler alert: no, of course they weren’t the final bugs! ...

From: NameCoin
May 20, 2018

Testing tlsrestrict_nss_tool on Windows

Now that we got NSS certutil reproducibly cross-compiled for Windows, initial testing has begun on tlsrestrict_nss_tool for Windows. Besides the obvious and rather boring fail that tlsrestrict_nss_tool was trying to execute cp, which of course isn’t going to work on Windows (that particular...

From: NameCoin
May 17, 2018

Reproducible Builds of NSS certutil via Cross-Compiling with rbm

In a previous post where I introduced tlsrestrict_nss_tool, I mentioned that NSS’s certutil doesn’t have official binaries for Windows, and that “At some point, we’ll probably need to start cross-compiling NSS ourselves, although I admit I’m not sure I’m going to enjoy that.” ...

From: NameCoin
May 14, 2018

Integrating ncdumpzone's Firefox TLS Mode into ncdns

I discussed in a previous post some experimental work on making ncdumpzone output a Firefox certificate override list. At that time, the procedure wasn’t exactly user-friendly: you’d need to run ncdumpzone from a terminal, redirect the output to a file, close Firefox, delete whatever...

From: NameCoin
May 12, 2018

Fixing DNAME records in madns and dns-prop279

One of the more obscure DNS record types is DNAME (AKA the Namecoin "translate" JSON field), which is basically a DNS redirect for an entire subtree. For example, currently radio.bit. has a DNAME record pointing to, which means that any subdomain (e.g.

From: NameCoin
April 19, 2018

cross_sign_name_constraint_tool v0.0.2 and tlsrestrict_nss_tool v0.0.2 Released

We’ve released cross_sign_name_constraint_tool v0.0.2 and tlsrestrict_nss_tool v0.0.2. These implement the functionality described in my previous post on Integrating Cross-Signing with Name Constraints into NSS (and the earlier posts that that post links to). With this release, in theory...

From: NameCoin
Upcoming ICO's
This week overview
Cryptocurrency rates
*Last hour average price&change
Coin Name Price Hour
Bitcoin logo BTC $8255.93 0.03%
Ethereum logo ETH $683.329 -0.21%
Ripple logo XRP $0.671178 -0.04%
Bitcoin Cash logo BCH $1178.02 -0.1%
EOS logo EOS $12.9627 0.18%
Litecoin logo LTC $132.63 -0.13%
Cardano logo ADA $0.239182 0%
Stellar logo XLM $0.320189 0.22%
Tronix logo TRX $0.0790614 -0.09%
IOTA logo IOT $1.71492 0.43%
NEO logo NEO $59.645 -0%
DigitalCash logo DASH $375.846 0.15%