Secure website context on Codex

Browser
1

The recent Bybit hack raised discussions (in CeRes libp2p TG) around safeguarding users from compromised JS using IPFS.

Using ENS+IPFS to serve censorship-resistant and secure front end is not a new idea. The biggest blow being the removal of native IPFS support in Brave.

Hence some new crazy idea…

It is clearly hard to solve the ENS resolution + decentralised CDN usage via integration in the browser. Simply because users tends to use the same browser for all activities, and having to get a specific browser just to access dapp is cumbersome.

I can see that in my own usage of dapps. I rarely use in-wallet browser to access my dapps, and prefer to rely on browser wallet extensions.

Also, users don’t really care about security and decentralization, so getting them to install a browser extension so that the loading of their web page gets slower isn’t an easy task.

So… who cares?

Well, I would argue that wallets cares. Wallet developers and projects want their users to use secure frontend to interact with smart contracts.

Hence, my question is why isn’t ENS+IPFS integrated in popular wallet extensions?

Reader, please point out any wallet that does integrate ENS+IPFS to help retrieve dapp frontends.

A skeleton of an idea

The Status Wallet Connector development will enable leverage Status Desktop wallet’s security from your day-to-day browser.

Assuming Status Desktop running a Codex node, the browser extension could:

  1. Pass ENS to Status Desktop
  2. Status Desktop use RPC API to resolve ENS and get Codex CID
  3. Codex node in Status Desktop retrieve data from CID
  4. Status Desktop sends frontend code to browser extension who displays it in browser

I assume this is possible as this is what IPFS companion extension does. The difference is that the Codex node is not running in the extension, or standalone and accessed via extension, but embedded in Status Desktop app.

The main UX difference is that the user is a Status wallet user - they do not need to install additional software to have a more secure/decentralized/censorship-resistant experience. They just install Status Desktop and Status connector browser extension.

ENS does have strategies to embed ENS in DNS. Which could help smooth the experience:

  1. User goes to app website https://app.safe.global/
  2. Browser pulls website from web2 CDN as usual
  3. Resolution of the related ENS is done by extension or Status desktop (is it possible?)
  4. ENS used to retrieve CID, then content, etc
  5. Once JS content is ready, extension can pop up and offer a “verified” version of the frontend to user - or just compare what the browser downloaded from web2 cdn with what was received from codex and alert user if code differs.
1 Like
2

To expand of that.

There are 2 features here:

  1. Verify the JS code is unaltered. In this case. Codex/IPFS is not really needed. All we need is a way in this case is a secure place (e.g. ENS but I assume there are web2 way of doing that?) to have the fingerprint of the expect website code (e.g. hash).
  2. Censorship-resistant retrieval: This is where Codex steps in, allowing retrieval of a website in a way that cannot be blocked by ISP etc.

(1) may be enough for more users
(2) is where we want to go with Logos

3

You can see here: Could IPFS Have Prevented the Bybit Hack? | IPFS Blog & News

That none of the method would work for large adoption.

Wallet extension integrating decentralizing CDN storage seems to be the only way to have security + censorship-resistance + no extra software for the user.

1 Like