To me one of the most interesting purported features of the IC is that browsers can interact directly with dapps, and that the integrity of the apps does not depend on trusting any single datacenter or trusting Dfinity.
Dominic has written that the IC can serve HTTP requests directly from cyberspace into browsers, and that Dfinity will not be running any HTTPS front-end infrastructure, and that it doesn’t depend on any external infrastructure.
If Dfinity was proxying HTTPS requests into the IC then there’d be a single trust point and it couldn’t fulfil its promises to be censorship-resistant, tamperproof, unstoppable, etc.
So I’d like to understand more just how this comes about, technically, to get a grasp on the security of the IC.
Let’s take the case of a browser trying to access the LinkedUp app at https://7kncf-oidaa-aaaaa-aaaaa-aaaaa-aaaaa-aaaaa-q.ic0.app/ (down at the moment though, but it will do for an example.)
To open the app from a browser a few key things have to happen:
- Resolve that domain name to an IP address. The browser then opens a TCP connection to that address.
- The incoming connection is routed to a server machine somewhere, possibly through some kind of layer 3 load balancer.
- TLS negotiation with the server.
- Routing the HTTPS request into the actor and sending the results back.
All of these seem pretty challenging to do in a distributed trustless way.
As of today, DNS, LB, TLS and HTTPS all seem to be handled by CloudFlare, but I presume you’re going to move away from them before the public launch, to fulfil the promise of not relying on Big Tech vendors. The SSL Cert is also from CF.
DNS: Ultimately the request gets answered by a single authoritative server somewhere. Who runs that? How do you know they don’t lie? There is no consensus protocol in DNS.
Routing to a server: Only one machine terminates the TCP connection. How do you choose it? If you send it to a DC run by one operator, it seems they can return arbitrary results?
TLS: Whichever machine terminates the connection has access to the SSL cert for
*.ic0.app (or maybe some subdomain?) and can arbitrarily MITM connections to any app hosted in that domain. Whether this is run by Dfinity or some datacenter or by CloudFlare it doesn’t seem any more tamperproof than current infrastructure.
Request routing to actors: Here too, it’s passing through a single machine run by someone, who can arbitrarily change the request and response…
How is the IC going to do any better than CF in any of these stages?