The Blockchain-based ‘Handshake’ Solution: an Answer to DNS Security Issues

3 weeks ago by Sam Holland

The traditional application of any domain name system may be tried and true, but it’s prone to vulnerabilities and censorship. The new network solution, ‘Handshake’, introduces a decentralised—namely blockchain-based—angle on DNSs that could be the answer.

While, in itself, a domain name system, aka DNS—a network of PCs that translate user-friendly host names into computer-readable internet protocol (IP) addresses—shows no signs of stopping, it is chiefly the centralisation involved in conventional approaches to DNS that leads to security issues for all manner of internet users.

Let’s start with a look at why this is, before ultimately considering the ways in which Handshake and its use of blockchain can combat the below-mentioned problems.


The Potential Flaw in How DNS Operates

As touched on, the DNS solution itself is here to stay, and for good reason: put simply, whenever you enter a website address, your browser requests, via DNS, for the address to be translated into the correct internet protocol number—conveniently translating the user-friendly front-end information (URL) to its machine-readable digits (IP) at the backend.


A diagram that displays the internet's exchange of information via the domain name system, which occurs when a user inputs a website address. Image courtesy of HowStuffWorks via Wikimedia Commons.


For this reason, the DNS certainly earns its nickname as the ‘internet phonebook’; however, its major room for improvement is in the said centralised nature that it currently utilises. The system’s current setup involves a DNS database that is overseen by certificate authorities (CAs)—as opposed to it being achieved on a free and open-source software basis, as is the case with Handshake, which last year raised $200,000 for such a communal initiative.

The chief purpose of CAs is to ascertain that the user connects to the correct and secure server (or node) when they access a webpage, which is achieved by their issuing and validating the website’s certificate, which is usually Transport Layer Security (the successor to Secure Sockets Layer)-based.


The result of visiting and clicking on ‘Certificate’, having accessed the padlock icon in Chrome's address bar. Note the name ‘GlobalSign’: a chief example of a certificate authority.


So far, so good—but the question still must arise: how reliable are the CAs that maintain such security protocols? As discussed below, the experts behind Handshake believe they are overly trusted by internet users, and should not be part of a centralised network.


Where Handshake Comes in

CAs are, according to Handshake’s whitepaper, largely “for-profit corporations or other actors who may not have long-term incentive towards stewardship of the internet”. Accordingly, a principal issue is that even some root CAs, i.e. the few organisations that are automatically trusted by major browsers and OSs, are vulnerable to breaches, such as via man-in-the-middle attacks, e.g. DNS spoofing, to name just one.

The fact that the very certification system can be attacked, which by extension means internet-wide vulnerabilities, again points to the issue of centralisation.

Accordingly, Handshake aims to enhance (rather than replace) the use of the current DNS setup, particularly in regards to its centralised nature and reliance on CAs. Its method of doing so involves a decentralising, blockchain-based solution.

We’ve discussed Handshake’s interest in overshadowing the current interest in CAs, but another reason for the centralised nature of the DNS comes down to a non-profit organisation in Los Angeles, ICANN: the Internet Corporation for Assigned Names and Numbers. ICANN oversees their DNS root server itself, and it is also responsible for assigning to websites top-level domains (TLDs), such as ‘.com’, ‘.org’, and so on.

One reason for public concerns over ICANN is that, as a standalone authority on DNS supervision, it could, for various reasons (such as government pressure) censor, even potentially shut down abruptly, website content. And while it does deny that it is ‘the internet police’, the point still stands that, again, the internet may have ‘too many eggs in one basket’.

Ultimately, both the said vulnerability of CAs and the fundamental centralisation of ICANN’s responsibilities are sidestepped by Handshake, as its application of blockchain means that it is theoretically tamper-proof. This is as it is based on a network of computers (rather than human-based organisations) that cryptographically store the relevant data in a decentralised structure—meaning that there is none of the single point of failure seen in traditional DNS-handling protocols.


Handshake, which was released late last year, is a project and protocol led by Joseph Poon, the creator of Bitcoin's Lightning Network.