November 2nd, 2013
Namecoin was patched and the security flaw was nullified. More details are available at https://bitcointalk.org/index.php?topic=322939.0
There is an unregulated domain name system (DNS), Namecoin, that works on a decentralized, distributed network of computers. This system works apart from any organization and is maintained by a host of computers processing the networks transactions, like P2P file sharing but for domain names. The primary domain on the Namecoin system is .bit. Recently, a flaw has been uncovered that compromises the entire security of the DNS function. Namecoin is still traded as a cryptocurrency on popular exchanges, but the thing that really set it apart has been nullified.
This has widespread consequences, with over 100,000 .bit TLDs registered, Namecoin has been lauded as the most innovative of all the cryptocurrencies, though underimplimented. The formative purpose of Namecoin was to create a decentralized ledger of keypairs and keyvalues, securing them in the distributed Namecoin network.
“Libcoin”, real world name Michael Gronager is the CEO of Payward Inc and one of the developers behind the new Cryptocurrency exchange, Kraken. Libcoin was auditing the Namecoin protocol in an effort to make sure it was secure enough of an asset to trade.
“At Kraken, we give all assets we include thorough scrutiny – we don’t want to trade in an asset where its value could disappear overnight. So it was in the process of checking Namecoin and enabling libcoin to also support Namecoin that I found the issues.”
The issues were with parts of the protocol that enforced the rules and structure of .bit domain ownership. Allowing the priveledges of the registration system to give crafty users the ability to override the domain name registry protocol was the first huge flaw noticed. Then Libcoin noticed that through exploitation of that bug a person could potentially take any .bit address, registered or not, for their own. Effectively, that security flaw ruined the innovative DNS system that had been the largest draw to Namecoin. At its inception, Namecoin was designed to keep DNS out of the hands of powerful governments or corporations. Wikileaks has a registered Namecoin TLD, wikileaks.bit.
With the security of Namecoin’s future in question, Libcoin offered up the following solution to the flaw:
“You can base the consistency of the names on the first name reservation and then a cryptographically unbroken chain of transactions. So basically, the names in the name transaction becomes superfluous, except for the first name reservation. This is the new kind of check needed. I have added this to libcoin, which was easy as libcoin stores all its state in a relational database.
Namecoin, like the Bitcoin Satoshi client, uses a key-value database (BerkeleyDB) so it is a bit harder to patch, I have however sketched a full patch for the namecoin devs and they are working on it. Of course, one could restart Namecoin with rules properly enforced from the start, but I think the patch mentioned above is a more viable solution.”
So obviously there is work to be done, but it appears that Namecoin can be saved! We will be sure to keep you updated to any progress. Here’s to the future of Namecoin!