conference logo

Playlist "May Contain Hackers 2022"

Trusted CDNs without gatekeepers

rysiek

I want a Web where CDNs are unnecessary.

Where different organizations, different website operators, can help each other out by hosting assets for each others' websites, thus spreading the load across many orgs in solidarity, instead of centralizing it in gatekeepers.

I believe I might slowly be getting to a point of having a decent answer to that question. No blockchain required.

What if I told you the [code for this is already mostly there](https://gitlab.com/rysiekpl/libresilient/)?

All major browsers support Service Workers and Subresource Integrity, which means we can have a piece of JS that:
1. only gets updated from the original domain
2. handles all requests for the website
3. routes these requests to the original domain, or hits third party endpoints when the original domain is unavailable for whatever reason
4. has ways of distributing and checking Subresource Integrity on any fetched resource.

And we do!

Points 1. and 2. are assured by Service Workers API, so browsers enforce that.

Point 3. can be achieved with [LibResilient's the alt-fetch plugin](https://gitlab.com/rysiekpl/libresilient/-/blob/master/plugins/alt-fetch.js).

Point 4. is the job of [LibResilient's signed-integrity plugin](https://gitlab.com/rysiekpl/libresilient/-/blob/master/plugins/signed-integrity.js).

This is all very PoC. Documentation is lacking or non-existent. But it's already there, ready to be tested and improved.