Skip to content

Top New Best Ask Show Jobs

Avoiding Internet Centralization (opens in new tab)

(mnot.github.io)

155 pointsjohndbeatty4y ago105 comments

Avoiding Internet Centralization | Better HN

105 comments

Something not really covered is this concept: "Maybe don't let one telecom company acquire too much control".

Look at the history of everything that was acquired by either Qwest/CenturyLink or Level3, and then the merger of Level3. You can't tell me that the existence of Lumen, the combined Centurylink-Level3 entity is good for anyone, except for their shareholders.

It's the very definition of too much centralization.

Look at all of the things that have now been jammed together into the modern Verizon, as well.

Look at the sad state of competition in Canada, with Rogers and Shaw trying to merge.

lotsofpulp4y ago

Also need fat upload pipes (i.e. fiber) to individuals’ homes so they can operate their own backup and peer to peer services.

When 90%+ of people have no upload capacity at their house, and are behind tons of CGNAT, then onedrive/iCloud/google drive become the only solution for storing your things you can access later. Same with chat protocols.

They just rolled out att fiber into my neighborhood. I was surprised as I live in a older neighborhood. Have overhead power lines talked with att installer and he said that was the reason we go it. Went from 1 gig down 30 mbps upload cable for 100 a month to 70 for gig full up and down and they gave me 400 bucks for signing up. It is pretty awesome having a direct fiber line to the house. My brother lives in Santa Rosa California and is on the list to get 10 gig fiber from Sonic for 65 a month. Hopefully things are starting to change. Once he has it I was thinking of just doing rysnc between us for backup.

tzs4y ago

I don't understand. If my upload bandwidth is sufficient for me to keep my stuff on OneDrive/iCloud/Google Drive, why wouldn't it be sufficient to keep my stuff on any other remote storage service?

FridayoLeary4y ago

Is it? In the UK BT owns all the wires and stuff yet i don't think it majorly affects consumers, nor are their competitiors being crushed.

ssss114y ago

There are a couple of others who own wires but really only in London (colt, forget the other one)

BT retail (the arm that sells to clients) has strict rules that forbid it from sharing with BT wholesale (the arm that sells to the other ISPs) so BT retail really can’t crush the competitors.. I don’t know the exact arrangement but they’re treated like any other ISP customer I believe

See if you can find our ENUM registry and use it.

BT doesn't own our wires as such. OpenReach does (yes they were formally BT but spinned off).

BT or OpenReach - who cares? The important thing is functionality. I'd like to provide you with a novel telephony setup but the lack of ENUM means I am not able to do that.

cortesoft4y ago

Depends on how heavily regulated it is

serverholic4y ago

Starlink should help with this by bypassing traditional networks.

melony4y ago

They are the definition of centralized.

hansel_der4y ago

why?

wireless is only radically different from a consumer perspective and the capacity is nothing to write home about. It's the coverage and latency that bring value.

bullen4y ago

They should probably add that merely adding yet another protocol centralizes things.

Implementing them takes time and you need many implementations for the protocols themselves to become de-centralized.

This is what breaks most new protocols and languages combined with diminishing returns (low hanging fruit has allready been harvested).

Personally I'm going back to HTTP, DNS and SMTP.

And even if DNS is completely centralized, it's the only thing we have for name lookups after 38 years!

Also I never rely on DNS if I can avoid it (I use static IPs and only use the hostname for virtual hosting / load balancing).

And de-centralization by hosting is more important than the protocol itself being p2p, since no p2p protocol can operate purely without server because of discovery.

I have made my own, from scratch, implementation of all 3:

DNS and SMTP soon coming to a rupy (HTTP), enabling DNS and SMTP through HTTP, you'll basically be able to control DNS and SMTP via a "Servlet/Filter".

Home hosting on fiber with static IP and ports 80, 53 and 25 open is the real challenge.

Making sure your ISP enables those has way higher priority than this document!

And the real canary is when you don't get an external IP on your fiber when IPv4 allocations in Africa run out.

It's time to wake up if we want an internet that does not become rent seeking.

Google charges for static IP addresses on GCP which should not be a thing if they get allocations for free.

IPv4 is a scarce asset, so they have an incentive to slow down IPv6!

tecleandor4y ago

> Google charges for static IP addresses on GCP which should not be a thing if they get allocations for free.

Same as in AWS (IIRC) in Google Cloud you don't get billed for static IP addresses if they are in use:

"If you reserve a static external IP address and do not assign it to a resource such as a VM instance or a forwarding rule, you are charged at a higher rate than for static and ephemeral external IP addresses that are in use.

You are not charged for static external IP addresses that are assigned to forwarding rules."

https://cloud.google.com/vpc/network-pricing

bullen4y ago

That's not true, I have 3 static IPs connected to VMs and they charge me for them:

External IP Charge on a Standard VM Usage 2021-11-01 2021-11-30 2,XXX.XXX hour 50.XXXXXSEK

So ~$2 per IP in USE per month!

>gcloud compute addresses list

ERROR: (gcloud.compute.addresses.list) Some requests did not succeed:

- Request had insufficient authentication scopes.

We need to move away from these companies before it's too late... they are incompetent and rent seeking.

They also do not rebate your free instance if you shut it off and change the instance type of the instance that had the rebate, even if you change it back.

And there is no recourse, no support, no way to get help.

yjftsjthsd-h4y ago

> And even if DNS is completely centralized, it's the only thing we have for name lookups after 38 years!

Depending on how you mean, it's not the only thing or its not 100% centralized; https://en.wikipedia.org/wiki/Alternative_DNS_root lists the major alternatives in that immediate space.

> 5.2. Encrypt, Always: When deployed at scale, encryption can be an effective technique to reduce many inherited centralization risks. ...

The problem here is the word "Always". Encryption is good for just the reasons they say. But only encryption, always encryption, not having an option for plain text is highly centralizing in itself. This is because the current status quo for encryption is to use TLS based on certificate authorities. And CAs are always highly centralized and highly centralizing.

If Lets Encrypt ever goes corrupt like dot Org did it would cause an incredible amount of trouble and that entity would have power over a large portion of the web, if not the entire internet. There's an easy solution to this though. Don't throw alway plain protocls. Plain and TLS wrapped are synergistic. Use both. There's no need for, and it is damaging, to always encrypt without an option for plain text.

A hypothetical downgrade attack is not an excuse for using only highly centralized TLS CA based protocols in this context.

AnthonyMouse4y ago

> This is because the current status quo for encryption is to use TLS based on certificate authorities.

Not everything has to be TLS or even HTTP. Look at messaging apps. Signal is encrypted, but the end-to-end encryption it uses isn't TLS and doesn't use certificate authorities.

> If Lets Encrypt ever goes corrupt like dot Org did it would cause an incredible amount of trouble and that entity would have power over a large portion of the web, if not the entire internet.

Not really. Let's Encrypt doesn't have a monopoly over anything. They use an open protocol (ACME) that any other CA could implement. If they went evil, someone else would implement the same protocol and everybody would switch to them. Which also implies that they won't, because why bother if that's what will happen?

This is kind of a problem with the CA system the other way -- if you have one bad CA they can sign any domain even if they shouldn't -- but in this case it prevents what you're worried about.

judge20204y ago

> if you have one bad CA they can sign any domain even if they shouldn't -- but in this case it prevents what you're worried about.

This is why certificate transparency is a thing and most browsers require it for public internet domains[0,1].

0: https://chromium.googlesource.com/chromium/src/+/refs/heads/...

1: https://support.apple.com/en-us/HT205280

judge20204y ago

> that any other CA could implement.

For reference, many CAs (even paid ones) have implemented it:

Digicert https://docs.digicert.com/certificate-tools/Certificate-life...

Sectigo (formerly Comodo) https://sectigo.com/resource-library/sectigo-adds-acme-proto...

I'm surprised if Signal doesn't use TLS, considering that Android tries to force apps to always use TLS, which is because of the point the parent comment is making.

LE also forces you to rely on DNS, which is highly centralized..

How is DNS centralised?

xxpor4y ago

What CA doesn't?

Encryption does not imply authentication, does it?

Browsers scaremonger really hard about self-signed SSL certs. And browsers are starting to implement HTTPS only as a default. It won't be too long before HTTP is blocked by mega-corp browsers and not having a CA TLS cert means your website is now un-visitable by non-technical people (and not indexed by search engines).

betterunix24y ago

"Internet routing requires addresses to be allocated uniquely, but if the addressing function were captured by a single government or company"

Technically it is so captured -- IANA is the root of the hierarchy that distributes both IP address assignments and ASN assignments -- and the RIRs are effectively centralized authorities in their regions. Thus far it has not been a problem.

With a larger address space and longer ASNs you could decentralize the entire process. Basically, subnets and ASNs would be hashes of public keys, and you would use a path-vector protocol where the NLRIs contain NIZKs proving knowledge of the secret keys and asserting who the NLRI was sent to at each hop (identified by ASN). It is not current being considered because (1) it would greatly increase the cost of routers and related infrastructure and (2) thus far there is no immediate need.

rapnie4y ago

In "The Promise and Paradox of Decentralization" [0] I found this quote to be very appealing wrt decentralization:

> "[A]ny decentralized order requires a centralized substrate, and the more decentralized the approach is the more important it is that you can count on the underlying system."

This somewhat counterintuitive notion is often overlooked. In order to facilitate a healthy decentralization effort you need a heck of a collaborative movement to make it a reality and sustain the initiative.

[0] https://www.thediff.co/p/the-promise-and-paradox-of-decentra...

fouc4y ago

Avoiding Internet Centralization means.. avoiding browser centralization.. means avoiding the dominant browser stack (currently chrome-based).. means avoiding browser auto-updates.. means discouraging user agent strings & browser/os version fingerprinting.. means avoiding cloudflare..

DarthNebo4y ago

Decentralisation efforts at this point is very akin to the democratic movements from centuries ago. Governments being reluctant to entertain efforts of taking back control, most recent example being StarLink asked to stop selling in India since they aren't registered as an ISP. The whole point of satellite internet is to avoid geo-control by any government body or local ISP.

tjohns4y ago

The whole point of satellite Internet is to fill in connectivity gaps where you can’t otherwise run high-speed fiber or wireless towers.

It does not avoid government control. Even ignoring local legalities, at the very least it will be under the physical control of whichever country hosts the nearest ground-segment station.

There can be multiple ground stations.

DarthNebo4y ago

I get the connectivity point but surely you would also need unfettered internet access if you live in countries which actively censor/cripple it like Russia, China, NK etc.

And arguably exists to maintain said geocontrol

If you read this you might be interested in this protocol which started as an idea for truly censorship-resistance Twitter but it's evolving into a generic suite of many subprotocols that involve interaction between users.

https://github.com/fiatjaf/nostr

Kinda like the "fediverse", but improved in the sense that it is not federated, but also not P2P (because pure p2p doesn't scale).

user_named4y ago

I think centralization is just a property of reality. Everything is centralized. Crypto is centralized in certain ways (mining capacity, holdings), capital is centralized to the top 0.1% in every country and so on.

It is better to design systems to handle centralization than with the assumption that they will remain decentralized, which would sort of break them.

__MatrixMan__4y ago

I disagree. As just one counterexample, consider the mycorrhizal fungal networks that mediate access to nutrients among trees--they've been doing their job without centralized intervention for billions of years.

If it seems like everything that we build is centralized, it might just be that we're bad at building things that last.

meheleventyone4y ago

Like the Internet? I actually think we could be good at building these sorts of things if we let go of the profit motive for doing so. History shows that we have been.

Or bad at building things that decompose...

user_named4y ago

The tree is the center.

meheleventyone4y ago

This is something touched on by The Tyranny of Structurelessness and further confirmed by the way companies with a flat internal hierarchy operate. Where there is decentralisation there is implicit power relationships and in the terms of the root essay here platform and indirect centralisation. It’s the why of democracy in anarchist organisation.

1970: we're going to build an unbreakable worldwide network to survive a nuclear war

2021: AWS and amazon US-EAST-1 is down, this means my coffee maker doesn't work

betterunix24y ago

Uh...

1970: Early networks suffered from congestive collapse problems, routing protocols were slow to converge, computed suboptimal routes, and had count-to-infinity problems, only a handful of transit networks existed, domain names were managed by one dude broadcasting a file to everyone, little to no security infrastructure, etc.

2021: We have robust congestion control and queue management, scalable routing protocols that find optimal routes and have no count-to-infinity problems, DNS, large numbers of transit networks with a high level of redundancy, and at least some security infrastructure in key places (DNSSEC, RPKI, etc.).

Don't confuse web infrastructure and hosting services with the Internet itself, which is the network and which has never been more distributed or more robust than it is today.

cj4y ago

I see your point, but do all those network level improvements mean much to the end user when so many critical services live in datacenters owned by 1 company? Many of which in a single region on the east coast, that goes dark at least a couple times a year for hours on end?

It wasn't supposed to be serious, but for anyone that's ever seen a catastrophic level3 failure as a peer or large customer of AS3356... It's less resilient than you think. There are way too many eggs in one basket in some places.

acdha4y ago

Source: https://twitter.com/VessOnSecurity/status/146845781929696870...

contingencies4y ago

Added attributed original to https://github.com/globalcitizen/taoup

Karrot_Kream4y ago

Unfortunately I don't think most users care. Give someone the choice between a cheap service with two nines (or even one) of reliability and a more expensive one with four, and the vast majority of people will go with the former. I mean, most ISPs in the US offer business connections with real SLAs but almost nobody is willing to pay that much for guaranteed bandwidth and uptime.

A recent example is "Message Layer Security".

While Wire and Matrix are working on a decentralized version the IETF is, unfortunately, working towards one based on a central entity.

Source:

https://news.ycombinator.com/item?id=25102916

https://matrix.org/blog/2021/06/25/this-week-in-matrix-2021-...

As far as we know, the Wire version is still logically centralised, using a centralised sequencing server.

On the Matrix side we’re working on fully decentralising it (as per https://matrix.uhoreg.ca/mls/ordering.html). There’s also a cool similar project from Matthew Weidner: https://dl.acm.org/doi/10.1145/3460120.3484542

It’s a bit perplexing that mnot’s draft cites XMPP as decentralised, given MUCs are very much centralised to a single provider which entirely controls that conversation, and if that provider goes down the conversation is dead. But I guess that’s because XMPP is submitted to the IETF, and Matrix isn’t yet.

zaik4y ago

XMPP is still a decentralized protocol by design. That you can't send messages to a conference hosted on a server that is offline doesn't make it 'centralized'.

rvz4y ago

Interesting to see Wire, and Matrix making an effort in this. Unlike Signal which still requires your phone number and is completely centralized to their servers whist promoting their 85% pre-mined cryptocurrency that they can dump at any time.

> Some protocols require the introduction of centralization risk that is unavoidable by nature. For example, when there is a need a single, globally coordinated 'source of truth', that facility is by nature centralized.

No, there is nothing unavoidable in making a centralized DNS system.

AnthonyMouse4y ago

Right. Even putting aside blockchain-based systems, you can have systems without a dictator because they're based on voting.

Suppose the root is a set of public keys, each with a top level domain. Adding one requires a supermajority of the others to agree. Removing one is impossible; it can sign its own successor and that's it. You now have a federated system with no single chokepoint.

mindslight4y ago

I'd say blockchain naming and the system you describe are still both centralized. The authorities are distributed, but they're still collectively responsible for deciding on a single coherent root.

Compare with systems that don't revolve around making any coherent global view, like Petnames. In the context of Zooko's triangle - do the human readable name lookup once as part of a manual process, and then persist the relationship as decentralized/secure but not human-readable.

notriddle4y ago

> because they're based on voting

All voting systems require protection against Sybil attacks. The best methods to protect against Sybil attacks are centralized. The not-best methods use proof of work, which has extreme downsides and only makes Sybil attacks expensive, not impossible.

acdha4y ago

I think that's a question of whether you're thinking of “unavoidable” in the technical or social context. You could design a system where anyone can run their own root but would you want to operate a business in a world where your advertisements need to list which of the DNS roots you use and spend time paying to register with everything which becomes popular enough that spammers would consider registering your names? That seems even worse than the proliferation of top-level domains since there at least the name which people see is actually different than the one you advertise.

ggm4y ago

You convert a single point of truth to a set of the point of truth and a voting system. The current cryptographically signed model uses a single signing authority. I suppose you could argue for multiple independent signing but it begs the question how you arrived at what was to be signed. That's a process to a unitary decision.

perryizgr84y ago

In fact, isn't torrent magnet links exactly this kind of a system? You can locate files on thousands of peer systems, without using a centralized tracker.

notriddle4y ago

But not human readable, so not a replacement for DNS.

https://en.wikipedia.org/wiki/Zooko%27s_triangle

aspenmayer4y ago

DHT definitely seems to fit. You can even search the DHT itself without using torrents or magnet links at all.

preseinger4y ago

What? Practical addressability requires centralization by definition. How could it work otherwise?

sweetbitter4y ago

If we go for human-readable and decentralized with reasonable security, we can look towards 'petname' systems, like the 'Address Book' software popular on the I2P network. Petnames are the subjective binding of public keys to shortened names, where a user resolves domain names to keys according to a combination of their own personal list (which can be easily expanded with specially-formatted 'address helper links') and the lists of third parties which they have chosen to trust (or which they have been bootstrapped into, thus trusting the bootstrapper by proxy). No need for environmentally unfriendly proof of work schemes or what-have-you. This falls on the 'less secure' point of Zooko's Triangle in the sense that, although it is very practical, decentralized, and usually avoids conflict, it does have trust-based security flaws if those providing their lists ('resolvers' if you will) manage to swap out keys for a petname without anyone noticing.

wmf4y ago

See https://en.wikipedia.org/wiki/Zooko%27s_triangle for an exploration of the tradeoffs.

goodpoint4y ago

...for an arbitrary definition of "practical".

There isn't a single world-wide authority that assigns names to people or companies, or plate numbers to cars or airplanes. It's partially federated and we accept the tradeoffs.

qnsi4y ago

isnt it ironic it was posted on github?

j / k navigate · click thread line to collapse