Locking the Web Open: A Call for a Distributed Web

I&#x27;m happy to see this article, and it reminds me of things that others have been talking about for some time (for example, the &quot;Redecentralize&quot; community).<p>I&#x27;ve participated in some file-sharing litigation which has made it very clear to me that decentralized P2P systems are not inherently more anonymous than other technologies. In fact, there&#x27;s a cottage industry of P2P monitoring companies that participate as peers in the P2P networks and record detailed information about the IP addresses of peers that uploaded and downloaded particular files. There are often paradoxes where decentralization helps privacy and anonymity in some ways but harms it in others -- for example, if you run your own mail server instead of using Gmail, then you&#x27;ve prevented Google from knowing who communicates with whom, but allowed a network adversary to learn that information directly, where the network adversary might not know the messaging relationships if everyone on the network used Gmail.<p>I guess a related point is that information about who is doing what online exists <i>somewhere</i> by default, unless careful privacy engineering reduces the amount of information that&#x27;s out there. Making the simplest kinds of architectural changes could just shift the location where the information exists, for example from Google or Yahoo or Amazon to dozens of random strangers, some of whom might be working for an adversary.

Kahle&#x27;s approach works only for static content. It&#x27;s not hard to distribute static content; BitTorrent does it just fine. The Internet Archive stores static content. Kahle thinks in terms of static content, because that&#x27;s what the Internet Archive does. But it&#x27;s less of the Web today. Despite that, it&#x27;s good to have a way to distribute static content. Academic publishing, after all, is almost all static content. That should be widely distributed. It&#x27;s not like academic journals pay their authors.<p>There&#x27;s the problem that distributing content means someone else pays for storing and serving it. This is part of what killed USENET, once the binary groups (mostly pirated stuff and porn) became huge. There&#x27;s a scaling problem with replication.<p>Federated networks are interesting, and there are several federated social networks. A few even have a number of servers in two digits. You could have a federated Facebook replacement that costs each user under a dollar a month at current hosting prices. No ads. The concept is not getting any traction.<p>Kahle wants a system with <i>&quot;easy mechanisms for readers to pay writers.&quot;</i> That&#x27;s either micropayments or an app store, both of which are worse than the current Web.

I&#x27;m all for this, and consider it to be inevitable in the long run. In the short term, however, it seems like the major hurdle will be getting one of these projects into the mainstream: for the most part, the web already does what most people want it to do, and those people aren&#x27;t going to be bothered to install a new web browser so that they can do things they&#x27;re already doing. Especially if it lacks the features, performance, or ease-of-use of their current browser.<p>So, how do we address this? Is there a &quot;killer app&quot; for the distributed web that will motivate people to move to it? Can we use existing web tech like Web-RTC to bootstrap the system? Maybe a workable avenue is mobile, where people are pretty comfortable installing new applications - what if we built the next social network into an app based on the distributed web?<p>I don&#x27;t know the answer, but I&#x27;d love to hear any ideas&#x2F;brainstorming you clever people have to offer.

That&#x27;s been the goal of the Freenet project for a while, to build a distributed encrypted network protocol. It distributes storage and processing which is why full encryption is necessary; you don&#x27;t want 10 people reading your email when it&#x27;s distributed across their machines.<p>The challenge for Freenet has been speed and fun. To have something like Facebook you have to download a JAR plugin for Freenet that adds that capability. That&#x27;s not fun. The speed is slow because of the encryption and constant syncing.<p>It might be better to look at the MediaGoblin and Pump.io (and StatusNet to some extent) for ideas on federated platforms. The challenge there again is fun; it isn&#x27;t fun to set things up.

I want this for all the reasons they list, but it seems there are huge unanswered questions for anything beyond a permission-less static page. Imagine you are developing a modern web app in the locked open paradigm. Is all system data distributed, including private user data and passwords? The only solution I can come up with is homomorphic encryption, which is not performant enough and still probably leaves a huge timing&#x2F;structure analysis attack area if anyone can download the database. If I make any mistakes on the database security, the entire DB is already pre-leaked to the world? The final dencryption&#x2F;encryption happens in client javascript, which is a whole other hornets&#x27; nest. Besides that, the implication is that I write my entire system stack in client javascript that is exposed to everyone, including any proprietary algorithms or credentials? Even if that was ok, and the system can live in the user cloud, where does system processing that is independent of user activity (scheduled tasks, etc) happen? Again, I want all of these problems to be solved, but they are nontrivial.

I&#x27;ve been thinking of how to decentralise the web as-is since 2011, the current development branch for this perspective on it is here: <a href="https:&#x2F;&#x2F;github.com&#x2F;LukeB42&#x2F;Uroko&#x2F;tree&#x2F;development" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;LukeB42&#x2F;Uroko&#x2F;tree&#x2F;development</a><p>It&#x27;s basically a collaborative caching proxy.<p>One process is a proxy that can also coordinate multiple users editing the same page and a subprocess acts as a DHT node.<p>You can use a raft-like log of hashes of pubkey,content and the previous hash to keep a history of edits in the network.<p>the hard part is this: How do you trust the validity of a singular node having a url you&#x27;re requesting?<p>It entails a rating system, and then it becomes the byzantine generals problem where the overlay network should be able to tolerate up to a third of its malicious nodes saying they&#x27;re all trustworthy.<p>Feedback&#x2F;any help would be much appreciated.

I would love to live in this future -- but where&#x27;s the incentive for businesses? How do they make more money developing in this way? How do users get more value accessing sites developed in a purely decentralized fashion? How do we avoid JavaScript being the basis for all of this?<p>Interesting (almost exciting) vision, but I don&#x27;t see why the majority of existing users would move. They just don&#x27;t get much value out of privacy, versioning, reliability, etc. They get <i>enough</i> of those things out of Gmail, Facebook, et al for their purposes already.

The author&#x27;s proposals are strikingly similar to Xanadu, right down to suggesting embedded micropayments: <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Project_Xanadu#Original_17_rules" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Project_Xanadu#Original_17_rul...</a><p>Ted Nelson will rise. Sort of, not really.

Well in this regard, I&#x27;m pretty mindblown by the possibilities of <a href="https:&#x2F;&#x2F;ethereum.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;ethereum.org&#x2F;</a>

I think it&#x27;s obvious that the current web is decentralized, but is heavily server-based. At the same time, there is something about propagating applications across these servers... Russia can ban Reddit but they can&#x27;t ban Wordpress. For the moment, that is what we are working on at <a href="http:&#x2F;&#x2F;platform.qbix.com" rel="nofollow">http:&#x2F;&#x2F;platform.qbix.com</a> (and have been for the past 4 years). Making it easy to have a distributed <i>social</i> network the same way bitcoin makes <i>money</i> distributed.<p>Now, how would you take it further and make the web entirely peer to peer, so you wouldn&#x27;t have to trust servers with your <i>security</i> and <i>politics</i>? You can have additional schemes like http and https, for various methods of delivery and storage.<p>I wrote this FIVE years ago but nothing seems to have been done about it since then: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=2023475" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=2023475</a><p>That would be an easy first step, that would do a lot. It&#x27;s 2015 and we can&#x27;t even have XAuth (<a href="http:&#x2F;&#x2F;techcrunch.com&#x2F;2010&#x2F;04&#x2F;18&#x2F;spearheaded-by-meebo-xauth-looks-to-make-social-sites-smarter&#x2F;" rel="nofollow">http:&#x2F;&#x2F;techcrunch.com&#x2F;2010&#x2F;04&#x2F;18&#x2F;spearheaded-by-meebo-xauth-...</a>) in the browser! (We would need a space for storing preferences where websites from any domain could read what was written.)

I really wish that the Internet Archive would provide bulk access to the Wayback Machine dataset. It would allow for a lot of interesting experimentation and research.

If every one had a wireless node on their house you might get an open web.. Just leaving the problem of connecting to the backbone

Just replacing DNS with a decentralised alternative would be a big step, yet appeared to be an impossible one (zookos triangle).<p>Something this big requires everyone using the internet to switch to the new system or it will never work, and that will never happen. It&#x27;s the dancing pig problem.<p>We can&#x27;t go back on the decisions that have been made, only go forward.

Data synchronization and Memory management is a major flaw in the concept of a distributed web as described by this article. Is the author suggesting taking all application data that exists on all web servers today, and hosting it on each device connected to the network (billions of devices) ?

I was liking what the article was suggesting but then it shamelessly plugged BitTorrent inc. which is one of those &#x27;big companies&#x27; you don&#x27;t want touching anything related to privacy or freedom.

It&#x27;s too late for that. What was once the internet is now basically glorified cable TV. At this point, it&#x27;s pretty much inevitable that it&#x27;s going full Disney or bust.<p>Hopefully bust.

It&#x27;s really exciting to see the these various technologies coming together!<p>We&#x27;re working on the micropayments for authors and rights-holders aspect of this:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;blockai&#x2F;openpublish" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;blockai&#x2F;openpublish</a> <a href="https:&#x2F;&#x2F;github.com&#x2F;blockai&#x2F;bitstore-client" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;blockai&#x2F;bitstore-client</a>

I agree with one of the comments on that page that decentralizing the Internet is fundamental to decentralizing the Web.<p>So in my mind the problems that need to be solved are:<p>Information-Centric Networking &gt; Unstructured Mesh Networking &gt; Distributed Data Storage &gt; P2P Information Retrieval

Cool, that&#x27;s a nice way of promoting those technologies since many don&#x27;t understand them.<p>I wish those things would land on the IETF board. I wonder what snowden think about those. I would surely make things much harder for the NSA to do massive surveillance.

A good roadmap for a new distributed web should be broken down by OSI model layer, showing what protocols and technologies exist that need to be replaced, what levels of the OSI model they span, and identifies single points of failure lower in the stack that must be accommodated. Too few people understand how brittle the web is by its reliance on the &quot;magical&quot; underpinnings of the Internet continuing to &quot;just work&quot;.<p>For example, let&#x27;s say we want privacy, anonymity and high availability for something fundamental like name lookups. It&#x27;s not enough to simply replace DNS with namecoin (L7), if there&#x27;s a critical vulnerability in openssl on linux that could force a fork in the network, possibly leading to existing blocks getting orphaned (L6), if every single session that goes through AT&amp;T gets captured, and the corresponding netflow stored in perpetuity for later analysis and deanonymization (L5), if this application&#x27;s traffic could be used for reflection amplification attacks (L4) due to host address spoofing (L3). One might try to get around those issues by direct transmission of traffic between network endpoints (asynchronous peer-to-peer ad hoc wireless networks via smartphones or home radio beacons, for example), but then you not only need to deal with MAC address spoofing and VLAN circumvention, (L2) but with radio signal interference from all the noisy radios turned up to max broadcast volume, shouting over one another, trying to be heard (L1) and accomplishing little more than forcing TCP retransmissions higher up in the stack.<p>And really what&#x27;s the point, when you can&#x27;t even trust that the physical radios in your phone or modem aren&#x27;t themselves vulnerable to their fundamentally insecure baseband processor and its proprietary OS? Turns out, what you were relying on to be &quot;just a radio&quot; has its own CPU and operating system with their own vulnerabilities.<p>Solving this from the top down with a &quot;killer app&quot; is impossible without addressing each layer of the protocol stack. Each layer in the network ecosystem is under constant attack. Every component is itself vulnerable to weaknesses in all the layers above and below it. Vulnerabilities in the top layers can be used to saturate and overwhelm the bottom layers (like when Wordpress sites are used to commit HTTP reflection and amplification attacks), and vulnerabilities in the lower layers can be used to subvert, expose, and undermine the workings of the layers above them. The stuff in the middle (switches) are under constant threat of misuse from weaknesses both above AND below.<p>It might be tempting for an app developer to read this blog post and think &quot;Oh wow, what a novel idea! Why is nobody doing this?&quot; But in reality, legions of security and network researchers, as well as system, network, and software engineers around the world toil daily to uncover and address the core vulnerabilities that hinder these sorts of efforts.

To enable p2p web Use ipfs or morph.is