Sorry to hear, but you are not alone [0]. It was matter of time for a new tech to be exploited like that. Providing IPFS gateway is like opening up public HTTP proxy (popular back in 90s). You had good intentions, but there will be lot of nasty things going thru your machine. Of course guys like Cloudflare can absorb arising liability but I think they will shutdown their gateway at some point.

I think the best way to popularize IPFS will be out-of-the box support in major browsers. I think Mozilla may be the first one here.

[0] https://www.bleepingcomputer.com/news/security/phishing-atta...

Mozilla talks a lot and don't do much in this direction, they promised Tor integration like 4-5 years ago and all they did is setup 3 middle-nodes.

Brave Browser already has Tor integration in private tabs and working IPFS integration on -dev channel since beginning of this year https://github.com/brave/brave-browser/issues/819

> they promised Tor integration like 4-5 years ago and all they did is setup 3 middle-nodes.

They never promised any Tor integration for the near future, see: https://news.ycombinator.com/item?id=17205441 and the first comment. Brave can do Tor integration because its user bases is much smaller than Mozilla's (scaling the Tor network to support the load from all FF users still requires much work).

I don't know how they worked on the Tor integration, but I do know they are actively working towards helping dweb implementations in the browser.

https://github.com/mozilla/libdweb is one of the efforts, and it provides experimental APIs needed in Firefox to have a nice experience. So AFAIK, Mozilla not only talks about dweb, but also helps with the effort.

> I think the best way to popularize IPFS will be out-of-the box support in major browsers.

On demand gateways with micropayments might also do the trick.

>Around the same time that this email was forwarded to me, DigitalOcean disabled the network interface on my VPS in order to stop the phishing attack from working. Fair enough, can't really expect them to do any more than that.

I disagree. I don't think this is okay. Aside from this IPFS story, DigitalOcean in general does not care about abuse. Unlike providers such as OVH, DigitalOcean will simply nullroute you when you fall victim to a DDoS attack. I wish they stepped up their game - until then, after hearing those stories, I will not be using their service for anything I care about.

Yep, both DO and Linode do the same thing. Just null route your IP and take forever to remove it once you fixed whatever problem it was (even if it was a false alarm).

"And if you know a hosting provider that is less likely to switch your networking off, I'm all ears."

No reputable hosting provider is going to ignore abuse complaints. The best you can hope for is a 24-72 hour window to respond to any complaint.

Proxies are XSS-as-a-service, so you should expect abuse complaints. At least the US provides some protections as a carrier.

How does GMA.html send the creds back to their server?

Interesting question of who has culpability:

- Server receiving creds seems clearly in wrong

- OneDrive hosting the html file which can be used to exfiltrate creds is a bit murkier

- Hosting a link to the onedrive url on IPFS is murkier still.

Note that the link to the OneDrive URL does not come from IPFS. It comes from the URL fragment, which makes it even more murky as to whether the IPFS hash should even be blocked! Perfectly legitimate sites could be using exactly the same content with no knowledge of the phishing attack. It is just copy and pasted from https://itty.bitty.site/

I didn't look into how GMA.html works, but a quick look just now shows that it posts to https://searchurl.bid/joyceesther0101/finish1.php

Ah, I didn't catch that the Base64 string was part of the query param, not stored in IFPS. Yeah, seems like IFPS data isn't offending whatsoever in this case.

Interesting that it is 'facilitating' phishing (as in dependency in attack chain), but only to the extent that would apply to a number of general-purpose open source libraries, or the browser, or any OS or ISP.

Seems like DigitalOcean made the wrong choice, but the technical complexity of the situation is enough to not put too much blame on them. Unresponsive support is disappointing.

I agree that it's too complex to expect front-line abuse support to work out what's going on, but yes I did expect them to turn my networking back on after I blacklisted the hash.

Digitalocean disabled network access to one of my droplets too. They won't respond to your emails, but poke them on twitter and hopefully you will get a response back. mine to 10 days to get a reply.

I switched to scaleway afterwards.

Looks like they are using 'Vesta', here's their control panel https://searchurl.bid:8083/login/

https://forum.vestacp.com/viewtopic.php?p=68594#p68594

https://www.digitalocean.com/community/questions/how-do-i-de...

Appears there was a vulnerability in this panel, seems plausible that 'owner' of this page is an additional victim of the attacker.

Wow, there's a lot of open ports on that box.

Hmm, doesn't bode well of IPFS. To the extent that bad actors can "easily" disable swaths of infrastructure in a difficult to parse/manage way.

Web-IPFS gateways are not part of the IPFS infrastructure, nor are they essential.

They are, however, essential for the transition to it; at least as long as they continue the goal of becoming the new web.

If you want to use IPFS without using a public gateway, it is very easy to install and use a local gateway.

If you also use a browser extension like "IPFS Companion", it can automatically redirect all IPFS-looking URLs to your local gateway.

I agree this doesn't help for casual users who have never heard of it, but it's at least better than "everyone has to use a public gateway all the time".

Neither of these things you mention are very easy on my primary computer, an iPad Pro.

You don't have a general-purpose computer, you have a locked down browser.

(But point taken, a lot of people aren't using general-purpose computers.)

Without major players joining - browser vendors, it will be like IPv6 transition.

Firefox has partly added support recently. They recognise ipfs:// as a valid protocol and allow extensions to implement it.

Extensions can't implement the raw IPFS protocol though, they need a companion application running the actual gateway, or can maybe use the WebRTC transport.

No, js-ipfs can run a full ipfs node right in a web page. It'll peer with other nodes over websockets, and do relaying if neccessary.

Does js-ipfs work yet? Around the time I first wrote hardbin people were saying you could use js-ipfs, but it just didn't work. My non-javascript node couldn't access content published by js-ipfs, which seems like a major flaw.

> (although their hosting provider doesn't appear to have switched their networking off).

I doubt that Microsoft Azure is going to switch off the networking for all of Microsoft OneDrive over this.

That's not a OneDrive URL ("https://onedrivepreinhabitat.**blob.core.windows.net**") - it's Azure Blob Storage (equiv to Amazon S3). Microsoft could absolutely disable that account.

Yes, that is indeed the joke.

We all should take actions against evil participants. Blocking that URL is part of it.

It's very shitty of DigitalOcean to not at least give you a small window of opportunity to investigate and remove offending content, especially if first complaint. Given that their investigation would of been limited too (unlike yours) it makes it somewhat easy to knock off someone on DigitalOcean with a flimsy complaint.

> especially if first complaint

Well:

> It was sent by PhishLabs to DigitalOcean, and DigitalOcean forwarded it to me.

I don't think this is the first complaint from PhishLabs to DigitalOcean. I do think DO would have "investigated" up to the level where they'd click the link and see "yep, that's a google sign in form". It's not up to DO to dispute claims made by people who send them abuse e-mails. As for the dispute itself, we all seem to think the IPFS was not hosting the content. But I'm not sure if that holds up in a legal case (the PirateBay is also not hosting any illegal content).

IPFS isn't even linking to illegal content.

IPFS has no knowledge of the illegal content whatsoever, it all comes from the URL fragment and Microsoft Azure.

By the same merit, any site (big, small, government or otherwise) with an XSS like el.outerHTML = window.location.search or el.outerHTML = window.location.query is vunerable to be shutdown if hosted on DO. Makes one think..

If you don't want to be nullrouted at the first abuse or DMCA complaint, I recommend more professional hosters like Hetzner or OVH. They will forward abuse mail to you first and only react themselves if you ignore the mails entirely and repeatedly do nothing about it.

You don't have to go Hetzner or OVH to get some sensibility. We've worked with Linode over a somewhat dubious overreaching copyright claim some years ago, they were professional and available and we had some back and forth whilst my client sought legal advice, in the end it wasn't completely frivolous, we had to give an inch instead of a mile the legal compliantee desired. This was over a period of a few days and we were never suspended, we made the small modification, Linode was happy, compliantee went quiet eventually, we carried on...

I wouldn't trust DigitalOcean with this fire first ask questions later approach especially given the technical nature of OPs setup.

Indeed it is - stage 6. Individually acting for the good of others and the future, rather than short term self interest.

https://en.wikipedia.org/wiki/Lawrence_Kohlberg%27s_stages_o...