How to view DANE/TLSA websites on Handshake with Firefox

Mike Carson
3 min readJun 17, 2020


Currently it is kind of hard to set up and view https sites on Handshake because certificate authorities won’t issue SSL certificates for Handshake TLDs, and no browsers support DANE. Browser extensions can’t even support DANE.

DANE is a more secure, DNS-based way to set up https without needing to trust a certificate authority (CA). Handshake uses DANE to eliminate the need for CAs.

One way to view https sites on Handshake is to run a script to verify the certificate and then download and install the certificate into your OS keychain. This works but it sucks because you don’t want to have to do it for every website you visit.

Another way is to use Let’s DANE as an HTTPS proxy on Firefox.

If you’re running a local hsd node listening for DNS queries, you can download the latest pre-built binary for your OS and run

./letsdane -dns udp://:53

You can also use the easyhandshake resolver:

./letsdane -dns

Firefox supports adding a proxy natively and has a built in CA store, so that you don't have to add the root CA or proxy to your whole OS. Also, using Let’s DANE as the man in the middle proxy for https, you only have to set this up once and then you can view all DANE https websites without further configuration changes.

You can set up the proxy by going to Preferences -> Network Settings and adding a manual proxy configuration which uses Let’s DANE:

Once you’ve done this, you will need to import and trust the root CA that Let’s DANE generated when it was first run. It is stored it in ~/.letsdane.

I did this by going to Preferences ->Privacy & Security and clicking “View Certificates” under the Certificates section. Then click “Import” and select the root CA generated by Let’s DANE.

You then need to trust the CA to identify websites.

And that’s it — now you can view any DANE https websites without any further config changes. Try it out:





Mike Carson