Hacker News new | past | comments | ask | show | jobs | submit login
Paradigm shifts for the decentralized Web (verborgh.org)
107 points by quickfox on Jan 30, 2018 | hide | past | favorite | 30 comments




Yeah, identity is a very crucial and difficult topic, which I did ignore in that post. Reason being: in my experience, as soon as you start about identity, it takes up everything. So I have made a couple of assumptions about authentication and identity; this is what we could build on top of that.


The GPL was a massive legal jujitsu that changed software forever. We need the equivalent with a business model.

The biggest challenge isn't the technical plumbing, it's changing how companies operate and changing customers behavior.

What is the business model? Why would the next unicorn give up this advantage?

Business want data lock-in. They try to create "data moats" to protect their castles.

No product will win on security and privacy features alone. They are critical for a small segment of adoption, but sadly haven't been a factor for mass adoption.


I think people should back down slightly from full "no gods no masters" decentralisation, where everyone runs their own castle, and look to user-run mutual ownership structures.

This is going to involve money changing hands. Users are going to have to pay enough that the people running the system get comfortable professional salaries - not unicorn money and not in SV, but it has to be competitive. Relying for the long term on altruism will only take you so far.

In return, the users should get a genuine say in the policies of the system. This involves building not just a system but a community.

Perhaps the closest to this model that's currently successful is Mastodon.


exactly! the whole current mindset around startups and unicorns and such is wrong (or warped).

everything should be 'disruptive', earn a shitload of cash in short time.. but why? why is disruption always good. after all.. it disrupts!

i would be perfectly happy creating non-disruptive products and earn a perfectly modest salary from it :)


i think these business models already exist.

you can find them in community startups that use decentralized technologies and semantic content to empower individuals to cooperate directly, create initiatives between parties without central authorities in control.

the technologies just need to mature further, gain more traction.. and applications need to be created outside of the academic sphere (especially true for semantic web apps).

i'd like to see true decentralized application frameworks that are semantic and truly decentralized.

solid (https://github.com/solid/solid ) is a great project for the semantic web, and so is http://ld-r.org/

then you also have ipfs.org, datproject.org, scuttlebot.io, mastodon social

but the semantic web projects are too content-oriented and the others are either file-exchange or (limited) social web interpretations.

afaik no truly decentralized messaging / application framework exists yet (though i have to investigate solid more thoroughly still)


I submit that we currently have a massively popular decentralized, federated, open standard messaging system. It goes by SMTP, and it's a cluster in many ways.


yeah, agree. but this is low-level protocol. many mail (email) applications, but event-based application messaging frameworks? i could find some that come close..

do you have some good pointers?


Messaging does exist; check out Linked Data Notifications (https://www.w3.org/TR/ldn/).


Technology is definitely not the only burden. Check out http://blog.dshr.org/2018/01/it-isnt-about-technology.html for a good argument.


Wow, point for point this is what we've built at gun ( https://github.com/amark/gun ).

- You only store the data you are subscribed to, which if it is your data, it is automatically stored in localStorage and if you run a Electron/React-Native app, is also backed up on your harddrive, and optionally you can have it backup to any server you run. This is particularly true with the P2P identity system: https://hackernoon.com/so-you-want-to-build-a-p2p-twitter-wi...

- This data can only be decrypted by the app if the user happens to use that app. The app doesn't have any special server, it is just some front-end logic, for instance, see this 4min interactive tutorial: https://scrimba.com/c/c2gBgt4

- The interface literally is just query, where that query is represented in HTML (or GraphQL at https://github.com/brysgo/graphql-gun ) with automatic 2-way binding based off of `name` attributes, like so: https://github.com/amark/gun/blob/master/examples/contact/in...

Ruben, if you happen to see this shoot me an email (check my HN profile)! I also know Dmitri as well! Great article! :)


Just saw this, and by total coincidence just met with Dmitri this morning. Sending you an email!


thx! i have been following gun for a while.. very interesting project!

but its decentralization features are not all too clear to me (have to dive deeper). things like peer discovery, nat traversal, gossiping, etc.

does that come with the package?


I'm honored!!! Thanks. Yes, the architecture is P2P/decentralized (see this talk https://youtu.be/5fCPRY-9hkc ), however:

- NAT Traversal sucks and WebRTC is still very glitchy. To get around this, it is easier/better to just run gun on your machine directly (not via a browser) and connect directly to other gun peers with their IP addresses. Then browsers can connect via websocket fallback, but as WebRTC gets better that will work too.

- Peer discovery is not built in by default, but should be trivial to do by starting with some bootstrapping peers, which as other peers connect to them everybody saves the new IP addresses to a common `gun.get('peers').set(IP)` table. So yes, it is easily possible, just not built in (I'm sure in the future we'll have a full fledged extension for it).

- re:"gossip" GUN automatically daisy chains updates through peers of peers, in an ad-hoc mesh-network manner.

Would love to chat more! What is your email? Mine is mark [atatatat] gunDB [dotdotdot] io !


great! enlightening.. (a mail has been dispatched :)


What if all the super-advanced technology for consumer behavior tracking could be somehow judo-flipped into a new form of anonymous resource ownership? So instead of legitimate websites being forced to ask a tech giant for an identity token just to establish a session, while shady advertisers silently assemble vast shadow profiles of consumers' behavior using browser fingerprinting, legitimate companies could use browser fingerprinting to automatically create a persistent session, which the user can then voluntarily link to an identity, or leave anonymous if they so choose?

A person could potentially have a number of identities that are anonymous or pseudonymous, that are automatically created and detected whenever they use the internet. They could maybe view a dashboard of their identities on a secure device, link them by function and scope, expose personally identifiable information through them at will, and create policies to automate all this.

Eg. if I visit a site like HN more than twice, it could just create an anonymous account for me automatically through fingerprinting and log me in automatically. Then, if I want to link this account to other services or other devices, I could do that through some general purpose API on a secure device. This could potentially lead to a general purpose "consumer identity" system where a person's offline behaviors are brought in as well.

My point is there's no reason why the most advanced forms of tracking and identity management can't be brought under users' full control for our own benefit. Fingerprinting is treated like the internet's dirty secret, but it's a technology that could be used in different ways. I would prefer this to any of biometric authentication schemes that have been peddled as "passwordless."


> Fingerprinting is treated like the internet's dirty secret, but it's a technology that could be used in different ways. I would prefer this to any of biometric authentication schemes that have been peddled as "passwordless."

Fingerprints (and other biometric data) is the analogue of a (public) username and not the analogue to passwords:

> http://blog.dustinkirkland.com/2013/10/fingerprints-are-user...

HN discussion:

> https://news.ycombinator.com/item?id=8496797

So if you replace entering your username by a fingerprint, retinal scan, ... this is perfectly fine from a security perspective (though IMHO a really bad idea from a privacy perspective). On the other hand using biometric data as replacement for passwords is from a security perspective an anti-pattern.


This reply seems to have missed the point of its parent and just picked up on the word fingerprint in a different context.

I like the parent's overall point, but I suspect its business model is not viable.

Any service that helps the user against the publisher's interests will need to be funded through charging the consumer. Not easy these days.


Why assume it is against publishers' interests for people to control how they expose their own identity? Advertisers, sure, but publishers? I see privacy as being more orthogonal to their interests than directly against them.

Nevertheless, you're probably right about the business model. I was piggybacking on the idealism of the article we're commenting on. It's fun to just discuss possible futures without worrying about viability once in a while.


Agreed. I ought not to have assumed the status quo must prevail. Indeed, hopefully a viable solution to the Publisher's Dilemma will be found.


> This reply seems to have missed the point of its parent and just picked up on the word fingerprint in a different context.

I am aware that "fingerprint" has different meanings, but the grandparent explicitly talked of biometric authentication (e.g. physical fingerprints) in his last sentence:

> I would prefer this to any of biometric authentication schemes that have been peddled as "passwordless."

This is what I was referring to.


tboyd47 is talking about browser/device fingerprinting, not physical fingerprints. Such fingerprints are usually attached to device rather than the specific account, but if we assume that a user needs a secure password/login to access the device, it might be a workable proxy.

[1]: https://en.wikipedia.org/wiki/Device_fingerprint [2]: https://panopticlick.eff.org/


I've built a new version of HTTP that lets you build apps from multiple websites, linking their internal state together as easily as we link pages together today.

I think this solves much of the difficulty in building the decentralized web vision described in this article. I'd love to get critique and feedback.

https://stateb.us


A few suggestions (from a backend developer, so not exactly your target audience):

- Show the source (repository) of a real webapp built with Statebus. Citing Linus, "Talk is cheap. Show me the code." Make sure it includes examples of all the advantages cited, like "accessing another site's state".

- Compare your solution with similar alternatives (e.g. my first thought was Meteor).

- Add a public way of asking questions, like a forum or a subreddit. I'm more inclined to ask questions if the responses are public, and it might help you build a body of knowledge to spur the interest of visitors (and even improve your SEO).

As an aside, the svg is not rendering well on my machine (FF 58 on Ubuntu 16.04): http://sufi.andreparames.com/screen_statebus.png


Wow, thank you! This is great feedback!


> linking their internal state together

Standards committees spent ages retrofitting measures to prevent this, since it's so easily abused to steal data and logins by wrapping one site in another in various ways.


Grandiose visions and inspiring words doesn't change the fact that users don't care how the backend is implemented.


yes, that is exactly why almost no (end-user) product explains this on their landing page :)

but a user might see the merits of being in control of their own data, and knowing their privacy is not violated by some nefarious use of it..

with all the free-use software platforms nowadays the user is not even the customer.. the advertiser operating in the background is.

makes me feel bad, especially as the software providers are becoming absolute monopolists :)


I just got an error page...from cloudflare. Ironic, for a page that talks about decentralization.


As I say in the blog post, decentralization and replication go hand in hand :-) It's my own Web server, so decentralized. Cloudflare just replicates/caches it for faster access around the globe.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: