Important Community Update on ic0.app domain being flagged by an anti-spam blocklist

February 19, 2023 Edit: Spamhaus as removed ic0.app from its blocklist.

1. TL;DR

On February 15 2023, Spamhaus, an organization that publishes a Domain Block List used by some service providers, added the ic0.app domain to its blocklist. The immediate impact is that the usage of ic0.app on social media or emails may be flagged as spam. A further potential consequence may be that some ISPs may no longer route traffic to the ic0.app domain. As a result, some users may no longer be able to directly access the dapps on the Internet Computer (IC) that use the ic0.app domain. Currently, no such cases are known but to address this risk this post explains to users what they can do as a precautionary measure and how they could regain access.

As an immediate action, we recommend that all users:

• Create a recovery phrase for your Internet Identity anchors if you have not already done so (How to create a recovery phrase). Please note that a recovery device cannot be used to access your account on the new URL, you must use a phrase.
• Reset your Internet Identity recovery phrase if you cannot remember or have lost your existing phrase (How to reset your recovery phrase).
• Setup your Internet Identity anchors to be usable with the newly introduced URL identity.internetcomputer.org. Please note that we are working on UX improvements that will make the process easier. UPDATE: Now that ic0.app has been removed from the block list, we recommend that users wait to migrate their devices until we complete work on the migration path. In case of an emergency, make sure that you have a usable recovery phrase following the instructions listed above.

Last but not least, it is worth noting: DNS blocking is a very common industry practice. Indeed, there are many blocklists around the world with varying policies. Every ISP and/or government does some form of this for legal, security or content policy reasons. Domains which serve user-generated content / apps have a history of being at risk of DNS block lists.

2. Background

ISPs and service providers use blocklists to minimize the exposure of users to spam and malicious websites. Spamhaus is one of the organizations that maintain such blocklists. Since ICP smart contracts can host entire web apps at affordable rates, ICP has seen a few malicious actors publishing content that ISPs and other services block for their users, e.g. phishing sites. Social media and communication services, such as email providers, may additionally flag messages including links to ic0.app as spam.

As explained in the recent forum post Content Filtering via Boundary Nodes, the DFINITY foundation actively scans for such content and blocks it in accordance with the Code of Conduct established with the ICP community. The smart contracts remain untouched on-chain but are no longer accessible through a regular web browser. There may also be a few false negatives that are not detected.

Spamhaus added ic0.app to its blocklist. The DFINITY Foundation is actively working with Spamhaus to explain the use of ic0.app and asked Spamhaus to remove ic0.app from the blocklist. However, it’s uncertain whether this request will be successful.

Please note this incident is different from a “takedown request”. This is an entire domain being added to a blocklist. This is a foreseen event so there are both mitigations and plans for the community to be aware of.

3. Precautions

This section describes measures that can be taken today to minimize the impact of ic0.app potentially becoming inaccessible.

Recommended For Users

We encourage all users to perform the following activities immediately:

• Create a recovery phrase for your II anchors: The following instructions show you how to create a recovery phrase for your II anchors. Once you have created a recovery phrase, store it in a safe place. As a reminder, your recovery phrase will allow you to recover your II and NNS wallet (where you may be holding ICP) in case they are in an environment where ic0.app is blocked. (How to create a recovery phrase?). If ic0.app is blocked, you would use your recovery phrase to access your anchor on the new domain. (How to recover account with recovery phrase?) Please note: You will not be able to recover your account with a FIDO device, so you must create a recovery phrase if you want to ensure your account is safe.
• Connect your II anchors to identity.internetcomputer.org: The following instructions guide you through the process of setting up your Internet Identity (II) anchors on the new II domain identity.internetcomputer.org. Once you have performed these steps, you can keep using II on the new domain even if identity.ic0.app was no longer accessible. We are working on making this process more user-friendly. Note: for this setup to be successful, identity.ic0.app must be accessible to you. UPDATE: Now that ic0.app has been removed from the block list, we recommend that users wait to migrate their devices until we complete work on the migration path. In case of an emergency, make sure that you have a usable recovery phrase following the instructions listed above.

What are the risks if you don’t follow these precautionary measures?

ELI5: If you don’t have access to the ic0.app domain and you haven’t performed these steps, then you cannot reach your Identity, which means you cannot access your ICP in the NNS Frontend dapp.

• Is it guaranteed that users will lose access to ic0.app? No, but best be careful and take preventive measures.
• Are there ways to regain access to ic0.app domain? Yes, most notably a VPN.
• Why are these precautions necessary? Because they mitigate the impact of “not having access to ic0.app domain”. These measures remove the risk tied to ic0.app.

What DFINITY Foundation is doing

Short-term (Now)

• System canisters under separate domain: DFINITY has created a proposal, that was subsequently adopted by the NNS, to add an additional domain for Internet Identity (identity.internetcomputer.org) and the NNS Frontend dapp (nns.internetcomputer.org) so users are able to access these URLs without being affected by any regional blocking of ic0.app.
• Switch to new default domain for new canisters: Spamhaus has communicated that ICP can create an environment for “massively automated malice”. Therefore, DFINITY has set up the domain icp0.io as an alternative default domain to access canisters. If you previously used the URL .ic0.app, you can now alternatively use .icp0.io.
• API calls through decoupled domain: So far, HTTP requests and API calls both used the ic0.app domain. We introduced the domain icp-api.io for API calls and to decouple the two use cases. As a result, API calls will not be affected by reduced availability of domains used to serve HTTP. The Service Worker has been updated to automatically make the API calls to the new domain.
• Accelerate code of conduct enforcement: We plan to further reduce the time between a malicious content being detected and it being blocked.

Mid-term (1 week)

• II domain migration: As shown in the December 2022 II roadmap update, the II team has been working on a simple flow to migrate anchors set up under identity.ic0.app to identity.internetcomputer.org. As documented as one of the user precautionary actions above, a migration to this new domain is possible today. However, we will work on making this transition more seamless and self-explanatory.
• Custom domains: Just a few days ago, the foundation released custom domain support for canisters. As more developers will use this new capability, the dependency on ic0.app will decrease.

Long-term (months)

• The DFINITY team is working on a new boundary node architecture. By introducing HTTP gateways that are accessible through different domains and operated by different community members, the dependency on a single domain, such as ic0.app, will be significantly reduced.

4. Mitigation

Should a social media post or electronic message containing the ic0.app domain be flagged as spam, you can alternatively use the domain icp0.io. All new canisters are accessible through the newly created domain icp0.io. Instead of accessing your canister through .ic0.app, you can alternatively use icp0.io.

In the event of ic0.app being blocked for you, we recommend the following:

• VPN: Use a VPN to connect to a network that is not affected by the Spamhaus blocklist.
• Check your local settings: A local program or system configuration, e.g. a virus scanner, may block ic0.app using the Spamhaus list. Check these settings and exclude ic0.app from being blocked.

Worth noting that another route for users who want to retrieve their IIs, is that they can also modify the hosts file to locally map identity.ic0.app to identity.internetcomputer.org. You can see instructions on how to do this here: how to change a hosts file on your computer…

5. Potential Questions

Q: What should be the main take-away for users?

A: All ICP users should (A) set up their II anchor under identity.internetcomputer.org and (B) create recovery phrases for their internet identity anchors, if they do not already have one yet.

(C) Users can also change the hosts file to locally map identity.ic0.app to identity.internetcomputer.org.

You can see instructions on how to do this here: how to change a hosts file on your computer.

Q: I’m a developer, what do I need to do?

A: Your canisters will be available at .ic0.app as well as .icp0.io. If you do nothing, your users will have the same level of access as they do today. If you start to encounter reports of your app not being available, you can configure your agent to use icp-api.io as an alternative or fallback host.

To ensure that your dApp continues to work properly:

• If you are serving your own service worker, you should make sure you are serving at least version 1.5.2.
• The Custom Domains feature is now widely available and you can use your own domain to serve your dApp.
• We will post more updates and instructions in the coming days.

Q: What about users not paying attention when this announcement was posted? Are they out of luck? How much time do they have?

A: It would be naive to expect all users to be paying attention to announcements. Still, we hope to reach as many as possible. We also hope to rely on the community to help create awareness.

If more places add ic0.app to a blocklist, sharing or accessing ic0.app links may get increasingly more difficult. However, we expect that for those people immediately affected, using a VPN it will be possible to access ic0.app for a while. But let’s not count on it and execute the precautionary measures now.

Q: How can I help?

A: ICP is a protocol and a community so of course all help is always appreciated. The ICP community is known for its helpful culture.There are a few ways you can help:

• Share this post widely
• Remind people to set up their II anchor under identity.internetcomputer.org and to create recovery phrases
• Review NNS proposals coming
• Offer any help or any advice on this thread!

For context, some of the people at DFINITY working closest on this are:

• @jwendling , Team Lead, InfraSec ← communicating with Spamhaus
• @samuelburri , VP of Engineering
• @frederikrothenberger , Engineer, Crypto Team
• @maria , Director of Engineering
• @nmattia , Engineer, Crypto Team
• @raymondk , Sr. Engineering Manager, Boundary Nodes

Thanks for the heads up. I guess it’s a good thing everyone pushed for recovery phrases back in the day.

So say goodbye to the blockchain url? (which was hosted on a centralized domain anyways)

What’s going to happen to nns.ic0.app and the sns?

What does this mean for less technical people who have elected to “set and forget” in their NNS dapp.

Good question.

Id say the simple version is this: (I did try to make post above simple, seems I fell short of that!)

1. NNS.ic0.app will continue to work
2. We expect most people to not have any issues
3. If any do have any issues accessing that domain, they have two options:

a. If they had set a recovery, they can go to the new url and use the recovery

b. If they have not set a recovery, they may need to use a vpn, to create a new recovery

Does this answer your question in a helpful way?

I don’t intend to minimize this or fall into “this is good for Bitcoin” meme, but I genuinely believe these kinds of things are signs of a blockchain making real contact with the wider internet world.

It is truly fascinating to watch blockchain and web2/web1 collide into each other, negotiate, iterate, and become part of our daily lives.

Why do they have to do that? Isn’t there support for same principal auth on multiple dApps now?

This looks like an antipattern, the moment your recovery phrase is shown it might already not be in a safe place unless you generated it on a brand new device with a clean OS install, a safe place is supposed to be an airgapped device never connected to the internet, that is what FIDO/security keys are for. On a technical level I don’t understand why recovering account with a secret key is possible, but not with an hardware wallet.

This just hit my radar (thanks @lomesh ) … @peterparker @rckprtr @kpeacock @icme … is this maybe connected to this:

and if so, I would assume the @dfinity sdk would need to be updated with a new URI for the fetch calls it makes …i.e. https://ic0.app/api/v2/canister/5zc2i-mqaaa-aaaal-abcoa-cai/cal … they are intermiittantly timing out in the last few days and we have been grasping at “why” … this might be it and the timing fits … thoughts?

Thanks for the heads up.

For someone paranoid like me :

(a) I have a recovery phrase (“locked”) that is stored in a distributed fashion, so not easily accessible.

(b) I was able to add the first device without recovery phrase (first option); but NOT without confusion; even with the instructions. I think a quick video explaining this process would help.

(c) The act of adding a second (and subsequent) devices to the same IIA has an exception flow; which will confuse people. However I can verify that I am able to add a second device.

(d) As noted in the instructions, the existing devices registered on ic0 WILL NOT work on internetcomputer.org. You will need to re-add them.

Is there any way to add a second recovery phrase if you don’t have access to your protected recovery phrase?

Have to say it’s really unfortunate that recovery devices aren’t of any help. I thought I was pretty well prepared with a good mix of auth devices. Falling back to a single recovery phrase was not something I had planned for.

There is no way to add a second recovery phrase; I think, by design.

More than one hardware recovery key would sure be nice.

Copy. I knew we could protect one. I didn’t realize we couldn’t add more. Really sucks.

Hi @Zane

Isn’t there support for same principal auth on multiple dApps now?

Honestly? I wrote multiple draft answers, but as I wrote them, it was clear I did not have clarity of thought. Let me ping the Internet Identity Team or Crypto team to better explain,

On a technical level I don’t understand why recovering account with a secret key is possible, but not with an hardware wallet.

I want to make sure I get your question. Are you asking why you cannot use a hardware wallet to recover an II account, but why you have to type it in manually? Is that right?

I asked SDK team and they are not sure it is connected, but have been looking into this.

Agreed. I know II team is working on improving the flow as well as the user-facing docs on this. Lots of low hanging fruit the team sees.

Copying some folks from Research and Internet Identity team so they see the feedback:

@frederikrothenberger @nmattia @bjoern @marydwyer @maria

Thanks @diegop for the update. IMHO these are great developments.

We’re it not for the Casino front end being blocked, work would not be as urgent for boundary node decentralization. We’re it not for this domain being censored, work would not be as urgent to address this issue.

The more we block and tackle these issues the more hardened and decentralized the system becomes. I personally think it’s really great as we are seeing decentralization unfold before our very eyes.

After this migration, I can also verify that I am able to access nns at https://nns.internetcomputer.org/ through both of my devices.

The migration mistakenly inherits the devices from ic0. After adding the same device with a different name, I deleted the device with original name at intercomputer.org

Hmm interesting, let me pass this along.

Sorry; my bad;

The migration inherits the devices from ic0. Adding another device also add this device to ic0. So the same device can exist with two separate names; each for different domains (ic0 and internetcomputer)