Visiting HNS websites in your browser securely requires two pieces of software:
There are many methods to visit HNS websites on your computer and there are trade-offs for each method.
Security: HIGH
Privacy: HIGH
Decentralization: HIGH
Convenience: MEDIUM
Complexity: HIGH
HSD is the most bullet-proof piece of Handshake software available. It verifies every single transaction and every single block against every single protocol rule we have. It has the best security practices and the best privacy. It does complete recursive domain name resolution from the HNS root zone all the way down. letsdane is the best tool available for verifying DANE and establishing HTTPS connections to websites hosted on Handshake domains. It checks all DNSSEC records served by hsd and checks the certificate offered by the web server. Every cryptographic signature is verified. If a user installs both of these on the computer they are browsing from, there is very little surface for attack: your browsing history remains private and all data transmitted and received is private and secure.
Security: HIGH
Privacy: MEDIUM
Decentralization: MEDIUM
Convenience: MEDIUM
Complexity: HIGH
Users install and launch the software. The light client syncs the blockchain (may take one minute or more). User must add a locally-generated certificate to their browser's trusted certificate store. User then must configure their browser to proxy all HTTP requests through the proxy so that DANE can be verified. Can be configured for a single browser like Firefox or the entire operating system can be run through the software. Light clients rely on hsd full nodes on the Handshake p2p network for block headers. This means that only SOME of the HNS consensus protocol is verified, like proof-of-work. External full nodes are required to resolve top-level domains from the HNS root zone. All data is verified, but the hsd full nodes you connect to will learn the top-level domains you are looking up.
There are available guides for connecting Fingertip to Firefox and a video demonstration for connecting Fingertip to Chrome or Safari using the operating-system level.
Beacon Web Browser (currently only released for iOS)
Security: HIGH
Privacy: LOW
Decentralization: MEDIUM
Convenience: LOW
Complexity: LOW
Beacon is a web browser that works a lot like Fingertip but is self-contained. It is convenient since it requires no setup, but inconvenient since it requires a user to abandon their current default browser. The technical mechanism is similar to Fingertip but Beacon does not do recursive name resolution, meaning it relies on external DNS-over-HTTPS servers. It leaks domain names to those servers, but still verifies all data using the blockchain data it keeps internally from hnsd. If Chrome / Safari / Brave / Opera ever adopt Handshake in a meaningful way, this method will probably be the best we can hope for.
Security: LOW
Privacy: HIGH (hsd) / MEDIUM (hnsd)
Decentralization: HIGH (hsd) / MEDIUM (hnsd)
Convenience: MEDIUM
Complexity: HIGH
A user can install their own HNS resolver but neglect to install the DANE verifying software. This user will be able to browse to websites hosted on HNS domain names BUT NEVER SECURELY. This user can not establish an HTTPS connection but can still "see" HNS websites, assuming the web server allows HTTP connections without requiring or enforcing security. A user can even run hsd on a server and connect to it remotely. This is technically an external resolver and will require additional security (SIG0) to ensure that the received data is authentic.
HNSDoH
resolvr
HandshakeNames
Bob Wallet Chrome Extension
Security: LOW
Privacy: LOW
Decentralization: LOW
Convenience: HIGH
Complexity: LOW
Access Handshake domains by getting DNS records from a public resolver. The most important thing to know about this method is that SOMEONE ELSE IS VERIFYING THE BLOCKCHAIN, NOT YOU. Since the blockchain is the root of all "trust" in this system, you are outsourcing absolutely everything including security and privacy. It may be possible to run a letsdane proxy in addition to these resolvers and establish a secure HTTPS connection between your browser and the web server. However, since the blockchain data is being served to you from some untrusted source we can not classify this method as truly secure. This is currently how Brave actually resolves "decentralized domain names" such as Unstoppable Domains and Ethereum Name Service.
Security: EXTREMELY LOW
Privacy: LOW
Decentralization: LOW
Convenience: EXTREMELY HIGH
Complexity: LOW
Users are presented with an illusion that they can "see" websites hosted on HNS domains but really they are looking at a website hosted on legacy ICANN domain name. If there is any HTTPS security offered at all it is anchored in legacy certificate authority. The server knows the entire URL you are looking up and knows all data you send and receive to the web server. The proxy CAN ALTER DATA you send or receive to the web server, including links. This is currently how Puma browser resolves Handshake domains. This is marked as extremely low security as the proxy can view and edit any traffic.
NEVER USE A PROXY TO ENTER PASSWORDS OR SENSITIVE INFO.
Can you trust the authenticity of the content you see in the browser? Can you enter private, personal or sensitive data into a website? Most browsers offer a "lock" icon in the URL bar when an HTTPS connection is established, meaning the answer to both these questions is "yes". Eavesdropping on your connection is impossible and altering data to and from both you and the web server is impossible. It's important to remember that HTTPS requires proper configuration by the website and domain name owners as well. Just because you have set up the proper tools on your computer does not mean every website is secure.
Do any other entities (besides your browser and the web server) know what websites you are visiting?
How many other services do you rely on for this connection? How easy is it for your connection to get censored or terminated outside of your control?
How easy is it to configure your computer to use this method.
Related to convenience. What percentage of the internet population is capable of executing all the necessary steps to correctly execute this method?