February 19, 2023 Edit: Spamhaus as removed ic0.app
from its blocklist.
1. TL;DR
On February 15 2023, Spamhaus, an organization that publishes a Domain Block List used by some service providers, added the ic0.app domain to its blocklist. The immediate impact is that the usage of ic0.app on social media or emails may be flagged as spam. A further potential consequence may be that some ISPs may no longer route traffic to the ic0.app domain. As a result, some users may no longer be able to directly access the dapps on the Internet Computer (IC) that use the ic0.app domain. Currently, no such cases are known but to address this risk this post explains to users what they can do as a precautionary measure and how they could regain access.
As an immediate action, we recommend that all users:
- Create a recovery phrase for your Internet Identity anchors if you have not already done so (How to create a recovery phrase). Please note that a recovery device cannot be used to access your account on the new URL, you must use a phrase.
- Reset your Internet Identity recovery phrase if you cannot remember or have lost your existing phrase (How to reset your recovery phrase).
-
Setup your Internet Identity anchors to be usable with the newly introduced URL identity.internetcomputer.org. Please note that we are working on UX improvements that will make the process easier.UPDATE: Now that ic0.app has been removed from the block list, we recommend that users wait to migrate their devices until we complete work on the migration path. In case of an emergency, make sure that you have a usable recovery phrase following the instructions listed above.
Last but not least, it is worth noting: DNS blocking is a very common industry practice. Indeed, there are many blocklists around the world with varying policies. Every ISP and/or government does some form of this for legal, security or content policy reasons. Domains which serve user-generated content / apps have a history of being at risk of DNS block lists.
2. Background
ISPs and service providers use blocklists to minimize the exposure of users to spam and malicious websites. Spamhaus is one of the organizations that maintain such blocklists. Since ICP smart contracts can host entire web apps at affordable rates, ICP has seen a few malicious actors publishing content that ISPs and other services block for their users, e.g. phishing sites. Social media and communication services, such as email providers, may additionally flag messages including links to ic0.app as spam.
As explained in the recent forum post Content Filtering via Boundary Nodes, the DFINITY foundation actively scans for such content and blocks it in accordance with the Code of Conduct established with the ICP community. The smart contracts remain untouched on-chain but are no longer accessible through a regular web browser. There may also be a few false negatives that are not detected.
Spamhaus added ic0.app to its blocklist. The DFINITY Foundation is actively working with Spamhaus to explain the use of ic0.app and asked Spamhaus to remove ic0.app from the blocklist. However, itâs uncertain whether this request will be successful.
Please note this incident is different from a âtakedown requestâ. This is an entire domain being added to a blocklist. This is a foreseen event so there are both mitigations and plans for the community to be aware of.
3. Precautions
This section describes measures that can be taken today to minimize the impact of ic0.app potentially becoming inaccessible.
Recommended For Users
We encourage all users to perform the following activities immediately:
- Create a recovery phrase for your II anchors: The following instructions show you how to create a recovery phrase for your II anchors. Once you have created a recovery phrase, store it in a safe place. As a reminder, your recovery phrase will allow you to recover your II and NNS wallet (where you may be holding ICP) in case they are in an environment where ic0.app is blocked. (How to create a recovery phrase?). If ic0.app is blocked, you would use your recovery phrase to access your anchor on the new domain. (How to recover account with recovery phrase?) Please note: You will not be able to recover your account with a FIDO device, so you must create a recovery phrase if you want to ensure your account is safe.
-
Connect your II anchors to identity.internetcomputer.org: The following instructions guide you through the process of setting up your Internet Identity (II) anchors on the new II domain identity.internetcomputer.org. Once you have performed these steps, you can keep using II on the new domain even if identity.ic0.app was no longer accessible. We are working on making this process more user-friendly. Note: for this setup to be successful, identity.ic0.app must be accessible to you.UPDATE: Now that ic0.app has been removed from the block list, we recommend that users wait to migrate their devices until we complete work on the migration path. In case of an emergency, make sure that you have a usable recovery phrase following the instructions listed above.
What are the risks if you donât follow these precautionary measures?
ELI5: If you donât have access to the ic0.app domain and you havenât performed these steps, then you cannot reach your Identity, which means you cannot access your ICP in the NNS Frontend dapp.
- Is it guaranteed that users will lose access to ic0.app? No, but best be careful and take preventive measures.
- Are there ways to regain access to ic0.app domain? Yes, most notably a VPN.
- Why are these precautions necessary? Because they mitigate the impact of ânot having access to ic0.app domainâ. These measures remove the risk tied to ic0.app.
What DFINITY Foundation is doing
Short-term (Now)
- System canisters under separate domain: DFINITY has created a proposal, that was subsequently adopted by the NNS, to add an additional domain for Internet Identity (identity.internetcomputer.org) and the NNS Frontend dapp (nns.internetcomputer.org) so users are able to access these URLs without being affected by any regional blocking of ic0.app.
- Switch to new default domain for new canisters: Spamhaus has communicated that ICP can create an environment for âmassively automated maliceâ. Therefore, DFINITY has set up the domain icp0.io as an alternative default domain to access canisters. If you previously used the URL .ic0.app, you can now alternatively use .icp0.io.
- API calls through decoupled domain: So far, HTTP requests and API calls both used the ic0.app domain. We introduced the domain icp-api.io for API calls and to decouple the two use cases. As a result, API calls will not be affected by reduced availability of domains used to serve HTTP. The Service Worker has been updated to automatically make the API calls to the new domain.
- Accelerate code of conduct enforcement: We plan to further reduce the time between a malicious content being detected and it being blocked.
Mid-term (1 week)
- II domain migration: As shown in the December 2022 II roadmap update, the II team has been working on a simple flow to migrate anchors set up under identity.ic0.app to identity.internetcomputer.org. As documented as one of the user precautionary actions above, a migration to this new domain is possible today. However, we will work on making this transition more seamless and self-explanatory.
- Custom domains: Just a few days ago, the foundation released custom domain support for canisters. As more developers will use this new capability, the dependency on ic0.app will decrease.
Long-term (months)
- The DFINITY team is working on a new boundary node architecture. By introducing HTTP gateways that are accessible through different domains and operated by different community members, the dependency on a single domain, such as ic0.app, will be significantly reduced.
4. Mitigation
Should a social media post or electronic message containing the ic0.app domain be flagged as spam, you can alternatively use the domain icp0.io. All new canisters are accessible through the newly created domain icp0.io. Instead of accessing your canister through .ic0.app, you can alternatively use icp0.io.
In the event of ic0.app being blocked for you, we recommend the following:
- VPN: Use a VPN to connect to a network that is not affected by the Spamhaus blocklist.
- Check your local settings: A local program or system configuration, e.g. a virus scanner, may block ic0.app using the Spamhaus list. Check these settings and exclude ic0.app from being blocked.
Worth noting that another route for users who want to retrieve their IIs, is that they can also modify the hosts file to locally map identity.ic0.app
to identity.internetcomputer.org
. You can see instructions on how to do this here: how to change a hosts file on your computerâŚ
5. Potential Questions
Q: What should be the main take-away for users?
A: All ICP users should (A) set up their II anchor under identity.internetcomputer.org and (B) create recovery phrases for their internet identity anchors, if they do not already have one yet.
(C) Users can also change the hosts file to locally map identity.ic0.app
to identity.internetcomputer.org
.
You can see instructions on how to do this here: how to change a hosts file on your computer.
Q: Iâm a developer, what do I need to do?
A: Your canisters will be available at .ic0.app as well as .icp0.io. If you do nothing, your users will have the same level of access as they do today. If you start to encounter reports of your app not being available, you can configure your agent to use icp-api.io as an alternative or fallback host.
To ensure that your dApp continues to work properly:
- If you are serving your own service worker, you should make sure you are serving at least version 1.5.2.
- The Custom Domains feature is now widely available and you can use your own domain to serve your dApp.
- We will post more updates and instructions in the coming days.
Q: What about users not paying attention when this announcement was posted? Are they out of luck? How much time do they have?
A: It would be naive to expect all users to be paying attention to announcements. Still, we hope to reach as many as possible. We also hope to rely on the community to help create awareness.
If more places add ic0.app to a blocklist, sharing or accessing ic0.app links may get increasingly more difficult. However, we expect that for those people immediately affected, using a VPN it will be possible to access ic0.app for a while. But letâs not count on it and execute the precautionary measures now.
Q: How can I help?
A: ICP is a protocol and a community so of course all help is always appreciated. The ICP community is known for its helpful culture.There are a few ways you can help:
- Share this post widely
- Remind people to set up their II anchor under identity.internetcomputer.org and to create recovery phrases
- Review NNS proposals coming
- Offer any help or any advice on this thread!
For context, some of the people at DFINITY working closest on this are:
- @jwendling , Team Lead, InfraSec â communicating with Spamhaus
- @samuelburri , VP of Engineering
- @frederikrothenberger , Engineer, Crypto Team
- @maria , Director of Engineering
- @nmattia , Engineer, Crypto Team
- @raymondk , Sr. Engineering Manager, Boundary Nodes