The next time you type the name of a website into your browser, pause for a second to think about what happens after you press “enter.”

What happens is that your browser sends that name—technologyreview.com, say—to a network of computers called the Domain Name System. The DNS is often called the internet’s phone book, and it converts (or in internet parlance, “resolves”) website names into IP addresses—in this case, 23.92.17.190. These numbers are what allow your browser to find the right server on the internet and connect to it.

We use the DNS because most humans are bad at keeping track of long numbers. It doesn’t get much attention; you don’t normally have to think about what the DNS is doing in the background. But you do have to trust it, which means trusting a handful of organizations that have been charged with keeping the DNS working and secure.

Steven Mckie Amentum.org

To people like Steven McKie, a developer for and investor in an open-source project called the Handshake Network, this centralized power over internet naming makes the internet vulnerable to both censorship and cyberattacks. Handshake wants to decentralize it by creating an alternative naming system that nobody controls. In doing so, it could help protect us from hackers trying to exploit the DNS’s security weaknesses, and from governments hoping to use it to block free expression.

The system would be based on blockchain technology, meaning it would be software that runs on a widely distributed network of computers. In theory, it would have no single point of failure and depend on no human-run organization that could be corrupted or co-opted. Handshake’s software is a heavily modified version (or “fork”) of Bitcoin, and just as Bitcoin’s network of miners protects the cryptocurrency from manipulation and makes it virtually impossible for authorities to shut down, a similar network could keep a permanent, censorship-resistant record of internet names.

The Handshake team is far from the first to try to create a decentralized naming system for the web. But unlike previous efforts, Handshake isn’t trying to replace DNS but work with it. “The point is to create an alternative, resilient network for people to fall back on,” says McKie.

Zooko’s Triangle

What’s in a name? In the real world, multiple things or people can have the same one. In computer network protocols, the answer is more specific. A principle called Zooko’s Triangle, after cryptographer Zooko Wilcox-O’Hearn, holds that an ideal name should have three distinct qualities.

First, a name should be secure. When you type a website’s name into your browser, you should be able to trust that the response didn’t come from an imposter. Second, an ideal name should make sense to humans as well as to computers. Finally, no central authority should be able to censor or block it. “That’s the leg of the triangle that they skip to get it to work,” says Joseph Bonneau, an assistant professor of computer science at New York University.

The organization with the most centralized power over the DNS is a Los Angeles–based nonprofit, the Internet Corporation for Assigned Names and Numbers. ICANN is responsible for overseeing the so-called DNS root, the highest level of the hierarchical global network of DNS servers. ICANN is also responsible for allocating new “top-level domain names,” which include .com, .org, .net, and most two-letter country codes.

Advocates of freedom of expression online have long warned that relying on a single, bureaucratic organization both to oversee the DNS root and to assign top-level domains is dangerous. They worry that ICANN could decide, perhaps under pressure from certain governments or corporations, to censor the internet by removing names from the DNS, or by prohibiting the use of certain names to begin with.

Besides ICANN, there’s yet another class of organization whose job Handshake aims to decentralize. See that little padlock icon in your browser bar, to the left of the domain name? That means your computer has verified that your connection to this website is encrypted and that the site is authentic, not a fake one designed by a criminal trying to steal your login credentials. It does that by checking the veracity of a string of numbers called the site’s digital certificate, issued by one of a number of so-called certificate authorities. These entities, many of which are for-profit companies, are crucial to internet security.

They can also get hacked. And if one gets breached, and an attacker can start issuing fake certificates, it undermines the security of the whole internet. But if website names are managed on a tamper-resistant blockchain, then you don’t need certificate authorities; the naming system itself can provide the guarantee that the site you’re connected to is real. That’s what Handshake aims to do.

Nick Little

Learning from Namecoin

The idea that a blockchain could be used to uphold Zooko’s Triangle has appealed to enthusiasts from almost day one. A project called Namecoin, which is widely believed to be the first fork of Bitcoin, is still up and running after launching in April 2011. Like Handshake, Namecoin lets people buy their own domain names and record them on a blockchain. But it hasn’t caught on, at least outside a small number of enthusiasts. In 2015, Bonneau and several colleagues took a close look at Namecoin and found “a system in disrepair.” Of 120,000 registered names, only 28 actually seemed to be in use.

Handshake takes advantage of a number of tools and technologies that were unavailable or impractical for Namecoin, says McKie. For example, Namecoin allocates names on a first come, first served basis. This has encouraged “name squatting”—people can register any name they can think of, regardless of whether they intend to build a website with it, hoping to cash in later life someone wants to use it for real. Handshake, by contrast, uses what’s called a Vickrey auction, a sealed bidding process in which the highest bidder wins but pays the price of the second-highest bid. This, at least in theory, gives bidders an incentive to bid what a name is actually worth to them.

Handshake’s software will also be more efficient at storing name data, and easier to use than Namecoin’s, McKie says. Instead of requiring each user to run what’s called a “full node,” which entails downloading a copy of the entire Handshake blockchain with all the domain names stored on it (and requires a certain technical proficiency), Handshake also has a “light client” that can retrieve addresses from the network as needed and can be bundled in an easy-to-use browser extension, he says.

Perhaps most important, Handshake, unlike Namecoin, doesn’t compete with the traditional DNS but is compatible with it. The top 100,000 most popular domains are already in its chain. If you enter one of those names, and if the owner hasn’t yet registered with Handshake, the software will simply redirect your request to regular DNS servers, says McKie: “If it doesn’t exist on Handshake, it’s just going to fall back, redundantly, to the normal web.”

If you build it, will they come?

Why would anyone actually use Handshake, though?

Some people might like the fact that names on Handshake won’t have to follow established conventions. I can’t register http://mike.orcutton traditional DNS, for example—ICANN won’t create a top-level domain called .orcutt for me—but I could on Handshake.

The advantages might be more obvious in nations with heavy censorship and surveillance, says Tieshun Roquerre, CEO of Namebase, a company that will help users easily buy and register names on Handshake. For instance, website owners in China must register with their real names. Since the government controls the internet service providers, it can easily use the DNS to shut down websites it doesn’t like. “With Handshake, you can register these names anonymously and it’s unstoppable,” says Roquerre. Even if the government found the web server somehow, the owner could switch to another one, maybe located in a different country, and update the name records.