Everything you wanted to know about the decentralized Internet provider "Medium", but were afraid to ask

Good afternoon Community!

My name is Yanislav Basyuk. I am the coordinator of the public organization "Medium".

In this article, I tried to collect the most comprehensive information about what this operating on the territory of the Russian Federation is decentralized internet provider.

I will tell:

       What is Medium
       What is Yggdrasil and why is Medium using it as its primary transport
       How to properly configure the environment to use the resources of the "Medium" network

What is "Medium"?

Medium (English Medium — “intermediary”, original slogan — Don't ask for your privacy. take it back; also in English word medium means "intermediate") - a Russian decentralized Internet provider that provides network access services Yggdrasil at no cost.

When, where and why was "Medium" created?

The project was originally conceived as mesh network в Kolomna urban district.

"Medium" was formed in April 2019 as part of the creation of an independent telecommunications environment by providing end users with access to the resources of the Yggdrasil network through the use of Wi-Fi wireless data transmission technology.

Where can I find a complete list of all network points?You can find it in repositories on GitHub.

What is Yggdrasil and why is Medium using it as its primary transport?

Yggdrasil is self-organizing mesh network, which has the ability to connect routers both in overlay mode (over the Internet), and directly to each other via a wired or wireless connection.

Yggdrasil is a continuation of the project CjDNS. The main difference between Yggdrasil and CjDNS is the use of the protocol STP (spanning tree protocol).

By default, all routers on the network use end-to-end encryption to transfer data between other participants.

The choice of the Yggdrasil network as the main transport was due to the need to increase the connection speed (until August 2019, Medium used I2P).

The transition to Yggdrasil also provided the project participants with the opportunity to start deploying a Mesh network with a Full-Mesh topology. This networking is the most effective antidote to censorship.

Yggdrasil uses end-to-end encryption by default. Why do Medium network services use HTTPS?

There is no need to use the HTTPS protocol to connect to web services on the Yggdrasil network if you are connecting to them through a locally running router on the Yggdrasil network.

Indeed: Yggdrasil transport is on the level protocol allows you to safely use resources within the Yggdrasil network - the ability to conduct MITM attacks completely excluded.

The situation changes radically if you get access to Yggdarsil intranet resources not directly, but through an intermediate node - the access point of the Medium network, which is administered by its operator.

Who in this case can compromise the data that you transmit:

1. Access point operator. Obviously, the current operator of the access point of the "Medium" network can listen to unencrypted traffic that passes through its equipment.
2. intruder (man in the middle). "Medium" has a problem similar to Tor network problem, only for input and intermediate nodes.

This is how it looks like

Solution: to access web services within the Yggdrasil network, use the HTTPS protocol (layer 7 OSI models). The problem is that it is not possible for Yggdrasil network services to issue a genuine security certificate by conventional means such as Let's Encrypt.

Therefore, we have established our own certificate authority - "Medium Root CA". The vast majority of the services of the Medium network are signed by the root security certificate of this certificate authority.

The possibility of compromising the root certificate of the certification authority was certainly taken into account - but here the certificate is more needed to confirm the integrity of the data transfer and exclude the possibility of MITM attacks.

Services of the "Medium" network from different operators have different security certificates, one way or another signed by the root certification authority. However, root CA operators do not have the ability to sniff the encrypted traffic of services that they have signed security certificates with (see section XNUMX. "What is CSR?").

Those who are especially concerned about their safety can use such means as additional protection, such as PGP и similar.

At the moment, the public key infrastructure of the Medium network has the ability to check the status of a certificate using the protocol OCSP or through the use CRL.

Does Medium have its own domain name system?

Initially, the Medium network did not have a centralized domain name server that could allow network members to access the most frequently visited resources in a simpler and more familiar form (as opposed to using the IPv6 address of a specific server).

We at Medium decided to breathe life into this idea - and, looking ahead a bit, we succeeded!

Domain names are registered automatically - you just need to specify the IPv6 address of the server on which the service is running. The robot will check if this address really belongs to the person attempting to register the domain name.

If successful, the domain name will be added to the domain name database within 24 hours. If the server stops responding to the robot and is unavailable for more than 72 hours, the domain name will be released.

Registering a domain name on ::1 will not work

A copy of the complete list of registered domain names can be found at repositories on GitHub. This allows for maximum transparency regarding the current state of domain names and excludes their blocking based on the possibility of an ambivalent situation due to the human factor. What if the DNS operator doesn't like something.

What about issuing SSL certificates for web services?

The creation of a domain name server was also due to the need to deploy a public key infrastructure - in order to issue a certificate, it must contain the CN (Common Name) field, which is the domain name for which the certificate is issued.

The procedure for issuing certificates signed by the certification authority occurs automatically - the robot checks the correctness and authenticity of the data entered by the user. If successful, an email is sent to the end user, including the signed certificate.

Here's a

How to properly configure the environment to use the resources of the "Medium" network?

The specifics of the work environment setup process depend on the operating system you are using.

Choose wisely (image is clickable):

Free Internet in Russia starts with you

You can render all possible assistance in establishing a free Internet in Russia today. We have compiled a comprehensive list of how you can help the network:

       Tell your friends and colleagues about the Medium network
       Share it reference to this article in social networks or personal blog
       Take part in the discussion of technical issues of the Medium network on GitHub
       Create your web service on the Yggdrasil network and add it to DNS Network "Medium"
       Raise your access point to the Medium network

See also:

Darling we're killing the internet
Decentralized Internet Service Provider "Medium" - three months later
"Medium" is the first decentralized Internet provider in Russia

We are on Telegram: @medium_isp

Only registered users can participate in the survey. Sign in, you are welcome.

Alternative voting: it is important for us to know the opinion of those who do not have a full account on Habré

• ↑

• ↓

138 users voted. 65 users abstained.

Source: habr.com