A malicious party could run a boundary node and modify canister responses to make it seem like they reached consensus on something that they in fact did not
Hello, thank you for bringing up such an important issue!
I’m working on the Trust team in Dfinity and this is the exact problem that we are trying to address. Our approach to this essentially splits users into two groups, convenience focused users and security conscious users.
For security conscious users we have an e2e trustless solution in the form of a local desktop proxy: Try Out the IC HTTP Proxy: A Leap Towards Decentralized HTTP. This is still in a PoC phase but it is actively being worked on to get this to a more production ready state.
We are also planning to continue investigation into more alternatives, a mobile counterpart to the desktop proxy, web view wrappers, self hosted gateways and native browser integrations. We are not sure which of these options will be successful at this point, more work is needed before we can say for sure.
Browser based solutions (aside from a native integration) such as the service worker and browser plugins have proven to be cumbersome and unable to provide a truly trustless solution. So we will continue to pursue more options outside of the browser.
Now for the other group, the convenience focused group. We do not have a short term solution for them that will provide an e2e trustless connection. A native browser integration would solve that, but that likely won’t happen for a long time since we are dependent upon external parties to collaborate with us on that front. So for the foreseeable future, convenience will come at the cost of some decentralization.
Decentralized API boundary nodes can help us with this though: Boundary Node Roadmap. We won’t be able to fully decentralize the HTTP Gateway, but we can at least federate it. Community hosted HTTP Gateways will be able to provide alternate routes to the same canisters. We will then look at finding ways to verify the behavior of these gateways.