Post AGnLuwalpd7eMzO5bc by rysiek@mastodon.technology
(DIR) More posts by rysiek@mastodon.technology
(DIR) Post #AFYD1J0Qq73hDh1QcS by rysiek@mastodon.technology
2022-01-18T02:21:28Z
2 likes, 3 repeats
I want a Web where CDNs are unnecessary.Where different organizations, different website operators, can help each other out by hosting assets for each others' websites, thus spreading the load across many orgs in solidarity, instead of centralizing it in gatekeepers.I've had this idea for years. The problem always was: how do I trust third party operators with my website's assets?I believe I might slowly be getting to a point of having a decent answer to that question.No blockchain required.
(DIR) Post #AFYD1JTr4iaugwmvTs by tuxicoman@social.jesuislibre.net
2022-01-18T02:30:20Z
0 likes, 0 repeats
@rysiek you can sign your assets so you can verify they are not tampered?
(DIR) Post #AFYD9aafLRrG4cv6oq by rysiek@mastodon.technology
2022-01-18T02:31:49Z
0 likes, 0 repeats
@tuxicoman that's the gist of it, yes. Subresource Integrity is part of the solution.The difficulty is: how do you verify those signatures? And how do you verify the code that verifies them has not been tampered?That's where Service Workers come in.
(DIR) Post #AFYDFYOkPOAj0oBobw by seb@ioc.exchange
2022-01-18T02:32:55Z
0 likes, 0 repeats
@rysiek BeakerBrowser kind of works like that.
(DIR) Post #AFYDNm7LHhHZsVy7Hs by rysiek@mastodon.technology
2022-01-18T02:34:24Z
0 likes, 0 repeats
@seb yeah, but getting everyone to switch to a particular browser is not a winning strategy.Anyone who has managed a website that dealt with DDoS and censorship and thought Tor Browser is the solution that could work for the regular visitors can verify that.
(DIR) Post #AFYDdZvAOjqGgXoEMq by seb@ioc.exchange
2022-01-18T02:37:15Z
0 likes, 0 repeats
@rysiek True. How about IPFS? It seems to be supported by a few browsers now and for the other browsers there are extensions.
(DIR) Post #AFYDxn41F8QxEqaUcq by rysiek@mastodon.technology
2022-01-18T02:40:51Z
0 likes, 0 repeats
@seb that's a one possible transport technology, and yest it's one of the technologies that can be relevant here. As long as it can work directly (and fully, not through HTTPS gateways!) in the browser.If gateways are in use -> that's a third party end-point, so content needs to be verified still.
(DIR) Post #AGnLusNrTgQ5JnJivg by rysiek@mastodon.technology
2022-01-18T02:49:43Z
0 likes, 0 repeats
What if I told you the code for this is already mostly there?All major browsers support Service Workers and Subresource Integrity, which means we can have a piece of JS that:1. only gets updated from the original domain2. handles all requests for the website3. routes these requests to the original domain, or hits third party endpoints when the original domain is unavailable for whatever reason4. has ways of distributing and checking Subresource Integrity on any fetched resource.And we do: (cont.)
(DIR) Post #AGnLusrHiHxIn35Dn6 by rysiek@mastodon.technology
2022-01-18T02:53:05Z
0 likes, 0 repeats
Points 1. and 2. are assured by Service Workers API, so browsers enforce that.Point 3. can be achieved with #LibResilient and the alt-fetch plugin:https://gitlab.com/rysiekpl/libresilient/https://gitlab.com/rysiekpl/libresilient/-/blob/master/plugins/alt-fetch.jsPoint 4. is the job of the signed-integrity plugin: https://gitlab.com/rysiekpl/libresilient/-/blob/master/plugins/signed-integrity.jsThis is all very PoC. Documentation is lacking or non-existent. But it's already there.
(DIR) Post #AGnLutQNbo1oXtVFUe by Seirdy@pleroma.envs.net
2022-02-24T07:42:48.097089Z
0 likes, 0 repeats
@rysiek Hopefully we can move this technique server-side so that HTML with SRI is generated on the server while assets are fetched from different servers.I personally prefer to just keep pages small and static so my VPS can handle a few thousand req/sec.
(DIR) Post #AGnLuu9kt6KAocjUDg by rysiek@mastodon.technology
2022-01-18T02:56:56Z
0 likes, 0 repeats
So now, technically, a few website operators could band up together, deploy #LibResilient on their websites, and offer each other hosting or proxying of each others' website assets on alternative endpoints.Those assets would be verified browser-side by LibResilient whenever fetched. So no need to trust that the alternative endpoint operators won't modify them (accidentally, maliciously, whatever).The service-worker script and config can only be updated from the original domain, so that's sealed too.
(DIR) Post #AGnLuvQo9BYilnicRE by rysiek@mastodon.technology
2022-01-18T03:00:41Z
0 likes, 0 repeats
My favorite part is that this should work on Firefox, Chrome/Chromium, Safari, with default settings.That is, website visitors don't have to do *anything* to benefit. Website admins don't have to ask their readers to switch to a different browser.And yes, you can simply use a Tor Hidden Service through random third party onion proxies, or pull stuff from IPFS via IPFS gateways, as alternative endpoints just as well. Asset verification means you don't have to worry about who runs those.
(DIR) Post #AGnLuwalpd7eMzO5bc by rysiek@mastodon.technology
2022-01-18T03:03:25Z
0 likes, 0 repeats
Just to be clear once again, this is nowhere near production-ready.But it is in a place where more testing (and more involvement in the project) would be very welcome.There are limitations too, of course:https://gitlab.com/rysiekpl/libresilient#limitationsSome can probably be worked-around with some additional development effort.
(DIR) Post #AGnLuxkjW4gZyB3Ym0 by rysiek@mastodon.technology
2022-01-18T03:04:23Z
0 likes, 1 repeats
(and yes, it is ironic that the code is hosted on gitlab.com, which is behind CloudFlare 😉 )
(DIR) Post #AGnLuz00skVDprDHEG by rysiek@mastodon.technology
2022-01-19T10:49:45Z
0 likes, 1 repeats
Just for completeness sake, here is a relevant blogpost on #LibResilient website:https://resilient.is/blog/content-integrity-in-libresilient/
(DIR) Post #AGnM7fCFopK0BQz9Qu by Seirdy@pleroma.envs.net
2022-02-24T07:45:07.253599Z
0 likes, 0 repeats
@rysiek I say this because I'd rather avoid client-side JS and esp. serviceworkers when possible.
(DIR) Post #AKiVGcxgRB69FVcjD6 by AIaYYAle4i1uKmKpqy.gme@bofh.social
2022-06-21T15:02:20.051078Z
0 likes, 0 repeats
Which will inevitably lead to supply-chain attacks like we're seeing today with javascript and other libraries that are called/ referenced by applications and sites.
(DIR) Post #AKidBkwS8gyGBVEhoO by rysiek@mastodon.technology
2022-06-21T15:20:58Z
0 likes, 0 repeats
@gme have you read the whole thread, perhaps? Specifically the toot where I mention this very problem, and offer a possible solution?
(DIR) Post #AKidBlVu0tKLxRp14C by AIaYYAle4i1uKmKpqy.gme@bofh.social
2022-06-21T16:31:05.999738Z
0 likes, 0 repeats
No, but if you have a way to solve the supply-chain attacks using something other than digital signatures (which aren't that effective in practice today for those libraries that use them) I'd love to read your proposal.
(DIR) Post #AKjEKgJIQQDOjL2XtA by bedef@livellosegreto.it
2022-06-21T20:57:12Z
0 likes, 0 repeats
@rysiek the idea is very interesting. Just a question, quoting from the quickstart:[...] it handles all fetch() events by first trying to use the regular HTTPS request to the original website. If that fails for whatever reason (be it a timeout or a 4xx/5xx error), the plugins kick in, attempting to fetch the content via any means available.Isn't the purpose of CDNs also to deliver contents worldwide faster? How can it be so if it calls the original website first?
(DIR) Post #AKjEKhTG6rmKKWi13Y by rysiek@mastodon.technology
2022-06-21T23:20:45Z
0 likes, 0 repeats
@bedef the purpose of LibResilient is, as the name suggests, resilience. It's less of "shave a few ms off a request" and more of "if something breaks, don't fall flat on your face".Shaving a few ms off a request means almost nothing for most sites. For a reasonably standard case of a WordPress site "optimized" by loading some resources from Fastly or jsdelivr, the few ms saved by geolocation absolutely pale in comparison with seconds lost on waiting for PHP and the database to render stuff.
(DIR) Post #AKjEKhuCUhKTg5JX3A by rysiek@mastodon.technology
2022-06-21T23:22:42Z
0 likes, 0 repeats
@bedef not to mention that a few ms saved on downloading 2MiB of JS from a geolocated CDN node is irrelevant compared to time spent downloading that very same 2MiB of JS in the first place. And them using that to render client-side.Compared to loading a static HTML site with self-hosted resources, the user experience is absolutely, positively crap.But hey, it's "optimized" by using a CDN! 🤦♀️
(DIR) Post #AKjEKiGX9fC4nLlMrQ by rysiek@mastodon.technology
2022-06-21T23:24:23Z
1 likes, 0 repeats
@bedef and then you have sites that load for dozens of seconds, then render and re-render, and re-re-render as more resources and JS scripts come in, all loaded from three different CDNs.As soon as *one* of them is having a bad day, the whole site is down.This is all madness. Web developers have been played for absolute fools by gatekeepers peddling their gatekeeping bullcrap under the guise of "geo-optimizing" content delivery.
(DIR) Post #ALsz8SwfH72AhBsacS by Zergling_man@birds.garden
2022-07-26T14:16:20.179575Z
0 likes, 0 repeats
@rysiek >Website admins don't have to ask their readers to switch to a different browser.>JS*cough*
(DIR) Post #ALtN4HXO90p53aav6e by rysiek@mastodon.technology
2022-07-26T18:44:00Z
1 likes, 0 repeats
@Zergling_man tech-savvy readers who block JS or use browsers that do not support JS are also probably already using Tor Browser, and in general can be expected to make informed choices and find ways to access blocked sites.This tool grew out of frustration with the fact that the majority of Web users cannot be assumed to be that savvy. Hence the focus on meeting them where they are: on major browsers with JS enabled.Find me a way to achieve this without JS and I will gladly do that.
(DIR) Post #ALtOvHD2CB3xLBuLGy by Zergling_man@birds.garden
2022-07-26T19:05:16.359334Z
0 likes, 0 repeats
@rysiek It can be part of web reset.Actually isn't there already a way to specify multiple sources in an image? Or is that only audio/video?
(DIR) Post #AOrNzCLohtycFY595E by onan@dobbs.town
2022-10-23T13:21:38Z
0 likes, 0 repeats
@rysiek I like this idea! Here are some ideas that might overlap...Beaker Browserhttps://beakerbrowser.com/IPFShttps://ipfs.tech/Revolver (not released yet)https://blog.freespeechextremist.com/blog/revolver-kickoff.html
(DIR) Post #AOrOGHn3jk0W2hyM4W by rysiek@mastodon.technology
2022-10-23T13:24:39Z
0 likes, 0 repeats
@onan I'm in fact using IPFS in LibResilient. Here's the talk:https://media.ccc.de/v/mch2022-198-trusted-cdns-without-gatekeepers
(DIR) Post #AOrOIOdLGT4XqVQwc4 by onan@dobbs.town
2022-10-23T13:25:07Z
0 likes, 0 repeats
@rysiek Brilliant.
(DIR) Post #AOx8ZAn6GF1HAd0wLI by rysiek@mastodon.technology
2022-06-21T12:13:42Z
0 likes, 0 repeats
I'll be doing a talk about exactly this at #MCH2022:https://program.mch2022.org/mch2021-2020/talk/W7MB7H/Come one come all.
(DIR) Post #AOx8ZBDgfOHqV5SAme by freeschool@qoto.org
2022-10-26T07:57:08Z
0 likes, 0 repeats
@rysiek do you have audio only version of it?
(DIR) Post #AOx8ozi3EGsFR3CGAa by adnan360@mas.to
2022-01-18T07:19:55Z
0 likes, 0 repeats
@rysiek I have a similar problem. I moved GH projects years ago to GL.com. I mostly use that for projects using Pages. Now to move again means I'd have to change URLs for my projects everywhere. framagit.org is good, but it has signup issues. So for beginners, the only option is to use GL.com unfortunately.
(DIR) Post #AOx8p0JcyYvpJamGjw by rysiek@mastodon.technology
2022-01-18T11:29:24Z
0 likes, 1 repeats
@adnan360 0xacab.org is pretty solid. Also a gitlab instance but run by riseup. No CloudFlare. Can recommend.
(DIR) Post #AOx8p1WQUSlP3Zm0KO by adnan360@mas.to
2022-01-18T07:27:50Z
0 likes, 0 repeats
@rysiek The better way I found to signup for framagit.org is to login with GL.com and it doesn't cause any issues. But since my projects often are targeted towards beginners, this would be probably difficult for them understand.
(DIR) Post #AOx8vjHaha4oW221xY by freeschool@qoto.org
2022-10-26T08:01:13Z
0 likes, 0 repeats
@rysiek do you have audio only version of the talk you did?
(DIR) Post #AOx9SHAcFDYcsmHxFw by freeschool@qoto.org
2022-10-26T08:07:06Z
0 likes, 0 repeats
@rysiek ok link was further down a link 9got it)and just for others it's here it's below AND has audio only version (TOP MARKS!)https://media.ccc.de/v/mch2022-198-trusted-cdns-without-gatekeepers#l=eng&t=0
(DIR) Post #AOx9WAieAgye2742G8 by freeschool@qoto.org
2022-10-26T08:07:48Z
0 likes, 0 repeats
@rysiek ok got link (was further down reading)and just for others it's below AND has audio only version (TOP MARKS!)https://media.ccc.de/v/mch2022-198-trusted-cdns-without-gatekeepers#l=eng&t=0