Censorship views the world as a semantic system in which information is the only reality, and what is not written about does not exist.
— Michael Geller
This digest is intended to increase the interest of the Community in the issue of privacy, which in the light of recent events becomes more relevant than ever.
"Medium" creates its own DNS inside the Yggdrasil network
"Medium" introduces the ability to automatically issue certificates signed by "Medium Root CA"
Remind me - what is "Medium"?
Medium (English Medium — “intermediary”, original slogan — Don't ask for your privacy. take it back; also in English word medium means "intermediate") - a Russian decentralized Internet provider that provides network access services Yggdrasil at no cost.
It was formed in April 2019 as part of the creation of an independent telecommunications environment by providing end users with access to the resources of the Yggdrasil network through the use of Wi-Fi wireless data transmission technology.
'Medium' switches entirely to Yggdrasil
Yggdrasil is self-organizing mesh network, which has the ability to connect routers both in overlay mode (over the Internet), and directly to each other via a wired or wireless connection.
Yggdrasil is a continuation of the project CjDNS. The main difference between Yggdrasil and CjDNS is the use of the protocol STP (spanning tree protocol).
By default, all routers on the network use end-to-end encryption to transfer data between other participants.
The decision to switch all access points of the Medium network from I2P to Yggdrasil was due to the need to increase the connection speed and the possibility of deploying a Mesh network with a Full-Mesh topology.
"Medium" creates its own DNS inside the Yggdrasil network
Initially, the Yggdrasil network did not have a centralized domain name server that could allow network members to access the most frequently visited resources in a simpler and more familiar form (as opposed to using the IPv6 address of a specific server).
We at Medium decided to breathe life into this idea - and, looking ahead a bit, we succeeded!
Domain names are registered automatically - you just need to specify the IPv6 address of the server on which the service is running. The robot will check if this address really belongs to the person attempting to register the domain name.
If successful, the domain name will be added to the domain name database within 24 hours. If the server stops responding to the robot and is unavailable for more than 72 hours, the domain name will be released.
A copy of the complete list of registered domain names can be found at repositories on GitHub.
"Medium" introduces the ability to automatically issue certificates signed by "Medium Root CA"
The creation of a domain name server was also due to the need to deploy a public key infrastructure - in order to issue a certificate, it must contain the CN (Common Name) field, which is the domain name for which the certificate is issued.
The procedure for issuing certificates signed by the certification authority occurs automatically - the robot checks the correctness and authenticity of the data entered by the user. If successful, an email is sent to the end user, including the signed certificate.
Why use HTTPS on the Yggdrasil network?
There is no need to use the HTTPS protocol to connect to web services on the Yggdrasil network if you are connecting to them through a locally running router on the Yggdrasil network.
Indeed: Yggdrasil transport is on the level protocol allows you to safely use resources within the Yggdrasil network - the ability to conduct MITM attacks completely excluded.
The situation changes radically if you get access to Yggdarsil intranet resources not directly, but through an intermediate node - the access point of the Medium network, which is administered by its operator.
Who in this case can compromise the data that you transmit:
Access point operator. Obviously, the current operator of the access point of the "Medium" network can listen to unencrypted traffic that passes through its equipment.
Solution: to access web services within the Yggdrasil network, use the HTTPS protocol (layer 7 OSI models). The problem is that it is not possible for Yggdrasil network services to issue a genuine security certificate by conventional means such as Let's Encrypt.
Therefore, we have established our own certificate authority - "Medium Root CA". All services of the "Medium" network are signed by the root security certificate of this certificate authority.
The possibility of compromising the root certificate of the certification authority was certainly taken into account - but here the certificate is more needed to confirm the integrity of the data transfer and exclude the possibility of MITM attacks.
Services of the "Medium" network from different operators have different security certificates, one way or another signed by the root certification authority. However, root CA operators do not have the ability to sniff the encrypted traffic of services that they have signed security certificates with (see section XNUMX. "What is CSR?").
Those who are especially concerned about their safety can use such means as additional protection, such as PGP и similar.
At the moment, the public key infrastructure of the Medium network has the ability to check the status of a certificate using the protocol OCSP or through the use CRL.
Free Internet in Russia starts with you
You can render all possible assistance in establishing a free Internet in Russia today. We have compiled a comprehensive list of how you can help the network:
Tell your friends and colleagues about the Medium network. Share reference to this article in social networks or personal blog
Take part in the discussion of technical issues of the Medium network on GitHub
Create your web service on the Yggdrasil network and add it to DNS Network "Medium"