waxwing
|
|
October 29, 2014, 01:42:54 PM |
|
This is jaw-dropping!
I successfully self-tested myself on a few websites and I'm especially amazed, because the whole process (or the part that I saw until now) was straight forward and without unexpected behavior or any other obstacles.
Good to hear. As you can see, this thread hasn't been very active recently. You're welcome to post any thoughts/queries etc. here, or you can join us on IRC (freenode) at #tlsnotary-chat, or your can post an issue on github ( https://github.com/tlsnotary/tlsnotary), or you can even take a look at the nascent discussion forum https://tlsnotary.org/smf (we're trying to put together a proper website, but it's not done). So I guess that's enough options. Now we just need a few more people like you to test it out
|
PGP fingerprint 2B6FC204D9BF332D062B 461A141001A1AF77F20B (use email to contact)
|
|
|
oakpacific
|
|
October 29, 2014, 01:53:30 PM |
|
This is jaw-dropping!
I successfully self-tested myself on a few websites and I'm especially amazed, because the whole process (or the part that I saw until now) was straight forward and without unexpected behavior or any other obstacles.
Thanks a lot, still, worth it to remind again to log out before you send anything to a real human!
|
|
|
|
dansmith (OP)
|
|
February 19, 2015, 07:11:01 PM |
|
We are happy to report that https://bitbargain.co.uk (a fiat<->btc marketplace) told us that they successfully used TLSNotary in an unusual case where bank lost the buyer's payment. Even though https://bitbargain.co.uk processes ~300 trades per day, twice a year they'll have a situation where there is no way to resolve a disagreement between reputable parties. Using TLSNotary the seller showed to the BitBargain staff their online bank's statement page (with a cryptographic proof) without revealing their bank's login/password. Good times.
|
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2349
Eadem mutata resurgo
|
|
February 19, 2015, 08:32:46 PM |
|
We are happy to report that https://bitbargain.co.uk (a fiat<->btc marketplace) told us that they successfully used TLSNotary in an unusual case where bank lost the buyer's payment. Even though https://bitbargain.co.uk processes ~300 trades per day, twice a year they'll have a situation where there is no way to resolve a disagreement between reputable parties. Using TLSNotary the seller showed to the BitBargain staff their online bank's statement page (with a cryptographic proof) without revealing their bank's login/password. Good times. So the buyer proved they had actually made the bank transfer using TLSnotary also? And seller was able to prove he hadn't received (yet) because bank had lost the payment. Interesting that a bitcoin-centric system for removing trust has been used to prove legacy banking error ... good work.
|
|
|
|
oakpacific
|
|
February 19, 2015, 09:41:40 PM |
|
We are happy to report that https://bitbargain.co.uk (a fiat<->btc marketplace) told us that they successfully used TLSNotary in an unusual case where bank lost the buyer's payment. Even though https://bitbargain.co.uk processes ~300 trades per day, twice a year they'll have a situation where there is no way to resolve a disagreement between reputable parties. Using TLSNotary the seller showed to the BitBargain staff their online bank's statement page (with a cryptographic proof) without revealing their bank's login/password. Good times. So the buyer proved they had actually made the bank transfer using TLSnotary also? And seller was able to prove he hadn't received (yet) because bank had lost the payment. Interesting that a bitcoin-centric system for removing trust has been used to prove legacy banking error ... good work. AFAIK, the seller provided a proof, then the buyer was advised to press his bank more, who is later found to be the party at fault.
|
|
|
|
waxwing
|
|
March 29, 2015, 12:21:30 PM Last edit: March 29, 2015, 12:33:07 PM by waxwing |
|
Feel free to read the latest blog post and try out the new version (only proof of concept, but functional): https://tlsnotary.org/wp/?p=27Simple explanation: audit a page and get a .audit file. You can give it an auditor later - where 'auditor' means anyone . It's transferrable (it's as if the server had signed the page with a digital signature). You perform the audit with a remote 'notary server', which knows basically nothing: there is no login, no credentials, you don't give the notary server either your html or the encrypted version of your html. It sees nothing except the server pubkey. It just provides you with some preliminary random secrets and then signs that you received the completed version of the secrets after you committed to a hash of your encrypted data. Well, a little more detail in the blog post above. Note that although there isn't much going on at the main repo https://github.com/tlsnotary/tlsnotary at the moment, there is a lot of work being done in other places. In a little while I might throw up a couple of .audit files so others can look at them (you can just run the auditor script locally to verify a .audit file's validity).
|
PGP fingerprint 2B6FC204D9BF332D062B 461A141001A1AF77F20B (use email to contact)
|
|
|
waxwing
|
|
March 30, 2015, 02:54:11 PM |
|
You can try verifying an example audit, see the notes here: https://tlsnotary.org/audits.htmlThe example given is a file proving a PM I received on reddit from dansmith. You can verify it's authentic in about 10 seconds by running the `python tlsnotary-auditor.py <audit filename>` in the src/auditee directory of the repo https://github.com/AdamISZ/taas-poc-1-auditee. Hopefully others will add a few similar .audit files there for experimentation. A reminder, it needs openssl for the signatures; for Linux/MacOS it'll be there by default, but if you're on Windows you may not have that (this will change at some point, it's just for proof of concept).
|
PGP fingerprint 2B6FC204D9BF332D062B 461A141001A1AF77F20B (use email to contact)
|
|
|
waxwing
|
|
April 27, 2015, 07:14:50 PM |
|
https://www.tlsnotary.org/pagesigner.htmlPageSigner is a drastic simplification of the user experience of TLSNotary. You can get a file which proves you visited a webpage with one click in Firefox. No need for Python, key management, or delays (it takes a few seconds). You can pass the file to an auditor at any later date and they can verify it. Watch the walkthrough video on the above page and let us know what you think. There's a lot more to say, but feel free to give it a try and get back to us with any questions.
|
PGP fingerprint 2B6FC204D9BF332D062B 461A141001A1AF77F20B (use email to contact)
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2349
Eadem mutata resurgo
|
|
April 27, 2015, 10:02:00 PM |
|
https://www.tlsnotary.org/pagesigner.htmlPageSigner is a drastic simplification of the user experience of TLSNotary. You can get a file which proves you visited a webpage with one click in Firefox. No need for Python, key management, or delays (it takes a few seconds). You can pass the file to an auditor at any later date and they can verify it. Watch the walkthrough video on the above page and let us know what you think. There's a lot more to say, but feel free to give it a try and get back to us with any questions. Sounds like a major milestone. I'll test it out.
|
|
|
|
waxwing
|
|
May 08, 2015, 07:39:47 PM |
|
Chrome is now supported (same link as before, short walkthrough for installation provided there; Firefox is a one (ish) click install, but Chrome requires pushing a few buttons in the correct sequence )
|
PGP fingerprint 2B6FC204D9BF332D062B 461A141001A1AF77F20B (use email to contact)
|
|
|
waxwing
|
|
May 09, 2015, 02:22:51 PM Last edit: July 05, 2015, 04:48:09 PM by waxwing |
|
From a discussion about a particular use case on IRC (API access), I feel like it's worth laying out the tradeoffs between three technologies: (Edit: this table was not well designed: a 'yes' means 'using this feature/technology'. So if there are two 'yes'es on one row, it means combining those technologies together). tlsnotary | website's digital signature | (amazon aws) oracle | Provides... | no | yes | no | Non-repudiable data (the webserver signs the webpage). The webserver chooses what to sign. Rarely used, controlled by webserver. | no | no | yes | Proof that the oracle ran the code that's claimed | yes | no | no | Proof to *one* party that the webpage is genuine | yes | no | yes | Non-repudiable proof if the oracle signs the hash of the page (i.e. like digital signature) |
Consider the application: API access. Oracle only looks like a good choice: write the oracle to retrieve the webpage (just ping it with a url, it sends back the result) - note that the oracle could then append its *own* digital signature, to provide the non-repudiability you're looking for. This does, however, require giving the oracle control of the API credentials (which conceivably *could* be OK, but at the very least it means passing it outside your machine). Using the last row of the table (which is what pagesigner uses) is more complex but has the advantage of putting a wall between the credentials needed for access and the oracle. Also having the oracle be the source IP address of https requests could have disadvantages.
|
PGP fingerprint 2B6FC204D9BF332D062B 461A141001A1AF77F20B (use email to contact)
|
|
|
waxwing
|
|
May 15, 2015, 04:36:09 PM |
|
Browserless pagesigner: https://github.com/tlsnotary/pagesigner-browserlessThis allows you to notarize a page from the command line, enabling automation. This version was created in response to someone who's creating an oracle for real world data; with this, they can use pagesigner to query an API (with their credentials) and generate a proof of data recorded by an authoritative website. See the README for usage notes.
|
PGP fingerprint 2B6FC204D9BF332D062B 461A141001A1AF77F20B (use email to contact)
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2349
Eadem mutata resurgo
|
|
May 16, 2015, 02:32:40 AM |
|
Neat how this project is branching out naturally based on the original concept.
|
|
|
|
|
Sylz
Newbie
Offline
Activity: 3
Merit: 0
|
|
October 12, 2015, 12:13:16 PM |
|
Hi,
Could tlsnotary be applied to wallets and prove a payment was made? Saw implimantation to SSL, but I think for crypto payment it should be done differently.
Tnx
|
|
|
|
dansmith (OP)
|
|
October 13, 2015, 06:48:32 PM |
|
@Sylz, I'll need much more context for what you are asking, but the short answer is you can use tlsnotary-based PageSigner to create a transferable proof of e.g. blockchain.info's webpage showing the payment/transaction.
|
|
|
|
HostFat
Staff
Legendary
Offline
Activity: 4270
Merit: 1209
I support freedom of choice
|
|
December 01, 2016, 11:16:54 AM |
|
It isn't working currently. Is there anyone that can run an alternative?
|
|
|
|
|