Login

Redecentralize

We’ve had enough of digital monopolies and surveillance capitalism. We want an alternative world that works for everyone, just like the original intention of the web and net.

We seek a world of open platforms and protocols with real choices of applications and services for people. We care about privacy, transparency and autonomy. Our tools and organisations should fundamentally be accountable and resilient.

Home

Parent
Paul Frazee [LibreList] Re: [redecentralize] GNU Internet Stack / youbroketheinternet.org 2013-12-30 11:45:20 (5 years 9 mons 15 days 08:10:00 ago)
You may be right. I need to see how the alternatives perform in real use-cases. I think it'll be difficult to make feature parity with HTTP from greenfield projects, which is why I'm skeptical. For instance, GNUnet's protocol is restricted to file-sharing, while HTTP can do file sharing, social networking, video-streaming, etc with dynamic backends. So I'm inclined to say, keep HTTP, improve on its usage model, then mix in new protocols like GNUnet that HTTP absolutely can't mimic.

Regarding WebRTC, the central dependency is signal routing and IP discovery. You can distribute that system with lots of HTTPS hosts, but you still need to address vulnerabilities in DNS and SSL and consider the possibility of a compromised host. That's the same security outlook of most of the Web. The difference is that breaching those systems should be or is illegal, whereas tracking users in a CMS is not, and the latter is what WebRTC solves for us.

Looked up that HN thread on OkTurtles to see where the Namecoin conversation landed. Found an interesting idea at https://news.ycombinator.com/item?id=6964090

I think it's interesting to look at what existing entities do when faced with DNS MITM and takedowns. The various torrent searchers and anti-censorship entities just diversified the TLDs they depend upon. So when their ".com" or ".net" domain gets taken down or man-in-the-middled, they tell their users to shift to .is , .ch, .se or some other TLD with a different regulatory framework, thus avoiding a single point of failure. 
 
If a new mechanism depends on the inconvenience of a browser extension anyway, why not automate the process people already use? For example "colmmacc.multi" could be intercepted by an extension and translated into 5 DNS requests against say SHA-2("colmmacc").[com|ch|ly|se|is] and the extension could use a simple majority quorum of the answers to defend against a tampered response. Of course it means you have to register and host your domain 5 times, but that's pretty cheap these days.
 
Other nice properties: works with all existing DNS security mechanisms (including DNSSEC or DNScurve), provides security against registrar or registry level tampering or compromises. Hash of the domain makes it hard for registries to block domains (they have no idea what the name is until it is popular) and also resets the clock on squatters.


On Mon, Dec 30, 2013 at 5:42 AM, Francis Irving <francis@flourish.org> wrote:
My instinct is that long game, they're right and HTTP is fatally
flawed.

It is a fundamentally centralizing protocol - the domain in a URL is
both the name of the resource *and* the place you go to get that
resource.

Short term is another matter. There are lots of incremental things
people can and should do now.


The dig at WebRTC is uncalled for - yes, right now you have to have
some other identity system to use it, and that is necessarily
central. But it's an open standard, pluggable compontent that can be
used in lots of ways.

If you have some other decentralized identification system, you can
then use WebRTC on top of it somehow later.

Francis

On Sun, Dec 29, 2013 at 09:46:31PM -0600, Paul Frazee wrote:
> No kidding about the diagram.
>
> Interesting statement on http://youbroketheinternet.org/map
>
> Because the web browser is so overladen with surveillance functionality
> > such as cookies, invisible counters, e-tags and plenty of Javascript doing
> > what the server tells it to. Now comes WebRTC which relies on web servers
> > for authentication and thus enables them to run a man in the middle attack,
> > and AJAX, which took off as the foundation of the web 2.0 and landed as a
> > surveillance tool. Should we want to do web-based user interfaces, we'll
> > have to use a custom browser with disabled HTTP support.
>
>
> I'm not sure they justify dropping HTTP support.  Aren't these issues with
> the access policies in the browser? I'm slow to let go of the legacy and
> relative simplicity when incremental fixes are still possible.
>
> They also knock on X.509 and DNS in that page. There's been some talk about
> namecoin. Anybody follow that closely enough to comment?
>
> Regarding WebRTC's MITM vulnerability, I wonder about using
> http://www.w3.org/TR/WebCryptoAPI/ someday to do client certs, though
> tcpacek's FUD about client-side crypto is hard to ignore. Any counter
> thoughts?
>
>
> On Sun, Dec 29, 2013 at 7:49 PM, Francis Irving <francis@flourish.org>wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Wow, that's a pretty hardcore diagram!
> >
> > Any key projects on it that are missing from this list?
> > https://github.com/redecentralize/alternative-internet
> >
> > Francis
> >
> > On Sun, Dec 29, 2013 at 06:08:24PM +0000, Benjamin Heitmann wrote:
> > > Hello there,
> > >
> > > I found this via the 30C3 coverage, its very relevant,
> > > however I did not see it mentioned here, so I thought I would share it:
> > >
> > > http://youbroketheinternet.org/
> > >
> > > encourages projects to make a new internet stack from low level
> > infrastructure all the way up to
> > > end user applications.
> > >
> > > I wanted to attached is a picture which assigns various projects to
> > different levels of the stack,
> > > but the picture is too big.. ;)
> > >
> > > All in all a very interesting umbrella project.
> > >
> > > cheers, Benjamin.
> > >
> > >
> > > --
> > > Benjamin Heitmann, BSc, MSc
> > > PhD Researcher
> > > Unit for Information Mining and Retrieval (UIMR)
> > > Digital Enterprise Research Institute (DERI)
> > > NUI Galway, Ireland
> > >
> > > publications and slides:
> > > http://www.deri.ie/about/team/member/benjamin_heitmann/
> > > http://www.slideshare.net/metaman/
> > > https://www.researchgate.net/profile/Benjamin_Heitmann/
> > >
> > > public PGP key available at: http://keys.gnupg.net/
> > >
> >
> >
> >
> > - --
> > Do *you* have an awesome idea you never quite manage to do?
> > http://www.awesomefoundation.org/en/chapters/liverpool/
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.12 (Darwin)
> >
> > iEYEARECAAYFAlLA0ScACgkQhRiKo+HhcsDhRACfRCwVZumd3gxZcffzxGjJQ+B8
> > 4agAoIRkz1+rNCm1lN5T6s6S9pUc/XUx
> > =Lppo
> > -----END PGP SIGNATURE-----
> >

--
Do *you* have an awesome idea you never quite manage to do?
http://www.awesomefoundation.org/en/chapters/liverpool/

: