IPFS is not secure?

Hello all,

I have noticed IPFS https://gateway.ipfs.io/ipfs/QmXNcu1iUZkSNNW1PFx8REtqBKUFzPeBJgEJ5Yr5sLMvmZ/#!/wallets … displays the IP address on - https://check-host.net/ip-info?host=https://gateway.ipfs.io/ipfs/QmXNcu1iUZkSNNW1PFx8REtqBKUFzPeBJgEJ5Yr5sLMvmZ/#ip_info-geolite2 . So I am wondering how is secure? Surely anyone can block this easily by simply blocking the IP as the Chinese government do now with Facebook, Twitter, etc.

My goal is to create an IPFS website in China which is unblockable, yet I’m struggling to see how it is “unblockable” especially when also having to use a standard domain name as ENS/ .ZIL is not ready for any multimedia content.

IPFS can’t fully circumvent censorship when IP blocking is involved. However, imagine each person has their own IP. Alice has a file to share. Boris downloads file from Alice. Charlie wants the file, but can’t access Alice’s IP, Charlie can also access the file via Boris. Without (hypothetically) having to configure anything special.

Traditional internet addresses such as www (dot) sharing (dot) com/fileA will point to the server that the DNS system says is at “www (dot) sharing (dot) com” and within that server “fileA” (assuming no custom web server that does special things with the address information). IP censorship can just block the IP that “www.sharing.com” directs to, thus circumventing access to the server. With IPFS, you put in a file hash instead of an address, (for simplicity) let’s say you want to access the file at hash “sharingFileA” (name simplified for simplicity), you don’t try connecting to the server at sharing.com you ask the network of any IPFS nodes you can connect to if they have the file “sharingFileA” or if they know of a node that does. This partially circumvents censorship because the IP of everyone who has the file would need to be blocked. It’s not completely unblockable though, just harder.

Thank you Cyber Venus, I guess when you say harder you mean to the point of where Turkey are still unable to take own Wikipedia despite this being mirrored?

Secondly, can I hire you? haha (after hours of setting up my IPFS and struggling to actually get the website running and connected to my domain!) I have found it hard to find developers for this

Unfortunately beyond a basic setup I’ve not really done anything very developery with it myself. I am a developer, just not with the IPFS project, so while I like to think I understand things better than most people, I don’t actually have much experience with IPFS itself. I’m just a bit of a decentralized internet enthusiast.

The biggest problem with the China proposition is that it’s basically impossible to circumvent all censorship when the government controls the cables and servers that connect everyone’s personal computers and phones together. The best thing (I think) that could be done is to encrypt traffic so no one knew you were accessing IPFS nodes, this only works until either the government were to find a way to detect what content was on the nodes you were accessing (similar to how companies often join in BitTorrent swarms so they can tell who is downloading what, the only way to do so is to try downloading it yourself and see who tries sending it to you). And of course if encrypted internet traffic were to get banned, then there’s really nothing that can be done to hide it effectively. If the goal is for highly infrequent dispersal of rarely updated digital content, like if you wanted to share Wikipedia, but didn’t need the latest updates from the past few months, I would consider exploring ways to compress the data being distributed and break it into smaller chunks (think, flash drive size chunks) and distribute physical devices. That’s basically what I’ve come to with how we could avoid censorship if we were living where such censorship is a problem. In the United States we’d probably see it coming with enough advance warning and enough people involved that we could just set up alternate internet access connections altogether with something along the lines of GoTenna Mesh.

Sorry I can’t be much more help with your specific setup though, wish I could, but I’m not that familiar with the IPFS code itself to do more than reference existing documentation.

Thanks for your honest answer, any idea where I could potentially find a developer? I was thinking there must be someone on here! The best thing ideally to do is wait I guess for .zil blockchain domains and hosting for further censorship but I’m involved in some way with the current Hong Kong protests and want to deliver a platform of free speech to China through a chat system like status.im running on an IPFS or Swarm.

When you mention encrypt traffic, I can do that on a centralised server without all the confusion of IPFS, etc?

Well, first off it’s cool to know we really do have people involved from all over (perhaps it’s wrong of me, but I generally assume anyone is from the U.S. unless they specify otherwise (because I am). As far as developers go, well, aside from direct questions relating to the code (usually newest in development code and questions asked by people contributing to development) there’s not as much direct involvement from developers on the forums as I’d like to see myself, but that’s somewhat understandable as they are busy developing and IPFS doesn’t really provide them with a source of money right now (since it’s free and doesn’t have like, a paid version).

As for encryption, any sort really, the point being just that no one can see what data is being sent without being the sender or recipient. Something like the Tor Network would be a simple enough example of what I mean, but I reckon that’s all convoluted and less useful due to bootstrap servers being blocked and the software itself not being publicly downloadable.

I think your best bet is to just outline each step of your process and ask for community help, unfortunately it may take a couple days, but I reckon there’s community people who know enough about each piece of the puzzle to put it together. That is, one person may not know everything, but one person may be familiar with chat stuffs and another with encryption stuffs and so on, enough to help anyways. From my understanding IPFS is still early enough in development that your project will sort of be a first if it becomes fully functional.

Meanwhile check the reddit page here: https://reddit.com/r/ipfs
#ipfs and #ipfs-dev on Freenode
docs ipfs io/community/irc/

And this page: https://webtorrent.io/faq
Specifically the “Who is using WebTorrent today?” section, which lists several other peer-to-peer data distribution and chat projects that you may find interesting.

1 Like

Also thought you should check out zeronet.io . I just found it today, but they seem to have a sort of decentralized chat system that may be along the lines of what you’re looking for.

Thanks Cyber, yeh I heard about Zeronet but I cannot connect a normal domain name to it which is what I want to do making it easily accessible

From looking at WebTorrent that may be my best bet as that is decentralised without the complication of them downloading a cryptographic login like MetaMask. So if I combine that with some form of traffic encryption that should be robust enough to last?!

Also NeoCities website builder uses IPFS I believe

Hello @Peatson, first off the IPs you see on the website are not the IPs of the peers but the IPs of the gateway. A simple way to notice that is to do the same thing but for another website: https://check-host.net/ip-info?host=https://gateway.ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/ (Wikipedia for example)
You get exactly the same IPs! What it means is that the government can only block the IPFS gateways like this one, but blocking all the peers of a file is practically impossible. Now imagine if we didn’t rely on HTTP-IPFS gateways like gateway.ipfs.io but instead each peer had IPFS installed on their computer (whether it be the Go CLI or ipfs.js for the browser). Your website would be nearly unblockable by anyone.

Ok so next problem, how to create a serverless chat? We don’t have to use IPFS for this one, we can use the standard web API WebRTC : https://owebio.github.io/serverless-webrtc-chat/
Again, this would be nearly unblockable by the government. WebTorrent uses WebRTC by the way, but I don’t think WebTorrent is a good choice to do a serverless chat. Other things you might want to learn about are CRDT (https://youtu.be/-kdx8rJd8rQ) and OrbitDB for IPFS if you want to have persistency for your data. To be more clear, if you are ok with the fact that messages are deleted when you quit your browser then WebRTC does the job just fine, but if you want to archive the messages like with Discord or a forum website, then IPFS is the way to go. But you can mix the 2: use WebRTC to create an HTML file of an unpersistant chat, and share this HTML file with IPFS so that it isn’t stored on a single server that can be blocked by the government.

If you want to have identities for your chat website (i.e. accounts), that becomes problematic because it is at odds with one of the most famous conjectures in distributed computing, the Zooko triangle, that states that you cannot have a naming system that is at the same time distributed, secure and human-meaningful. I will spare you a too long explanation on this, but nevertheless you can still have pretty convincing ways to have identities for your chat. You can take inspiration from the tripcode system which is completely serverless. Users can type their username and password and they get a hash. On the chat, both your username and your hash would be displayed. Yes, it’s not perfect because several persons can choose the same username, but you have several ways to make it more secure. For example you can generate a picture with the hash using Gravatar for example, or you can generate a username from the hash using Proquint prononceable identifiers for example instead of letting the user choose their username. This picture or this Proquint identifier would be absolutely unique, so people on the chat can recognize you with them (because it is somewhat unlikely that they would recognize you with the hash which is not human-meaningful).

I have stumbled across this brilliant project of an end-to-end encrypted messaging app like Whatsapp but without a central server to store the public keys and for message transit. It is fully p2p and uses WebRTC, so the chinese government (or any other censor) cannot shut it down because there is no single point of failure. But if you are a bit familiar with WebRTC, you might reply that the STUN and TURN servers used during signalling can be considered as single point of failures, but this app exchanges tokens via QR codes, so no need to use any third party server.
Ok it’s not really like Whatsapp, it does only audio and video but if you want to do your own application, this one laid a very good base.