What are the security and trust assumptions associated with IPFS Front-ends?

Hello. Could someone ELI5 the basics of IPFS front-end hosting and the trust assumptions associated with it?


Most ppl use a gateway so I guess the same assumptions as any server on the web today?

If you use IPFS then it’s publicly know that your NodeId with IP has said content hash while participating in the DHT.

1 Like

It’s a little more complicated than that. It depends on what you mean by “front-end” and how you plan on running/configuring it.

I don’t think there are many trust issues unless you’re talking about running a private swarm. Then you’re trusting that a node that has the swarm key is supposed to have it. If it’s an open gateway then you’re trusting the entire internet to host their content on your machine and eat your bandwidth. You might also get menacing emails asking why you’re hosting illegal or malicious content.

If you don’t run an open gateway it’s what the previous post said.

1 Like

A generic MITM threat modeling can be applied:

  • if you don’t verify CID hashes end-to-end yourself, means you trust someone else does it for you and that they don’t lie. If you use HTTP gateways see docs about trust delegation and how to do verifiable retrieval that removes need for trusting gateway sent you correct data.

  • If you use DNSLink, you can’t trust value from DNS TXT without having trust in your DNS resolver, and/or having trust in DNSSEC set up and validating it on the client.

On top of that, there are the usual ramifications around Same-origin policy - Wikipedia that apply to everything on the web platform.

If you load your app from a public gateway, be aware that:

  • all apps loaded via path gateway will share the same security sandbox – cookies, local storage, API permissions. Not somerhing you want, if your app has to manage secrets or log-in into user accounts.

  • to ensure your app/root CID has its own security perimeter, load it via ipfs:// or ipns:// in browser that supports IPFS natively, like Brave, or use a subdomain gateways which also provide separate origin per root CID. This ensures your app is isolated from everything else.

1 Like

Thank you for providing this information.