Everything you wanted to know about the decentralized Internet provider Medium, but were afraid to ask

Good afternoon, Community!

My name is Yanislav Basyuk . I am the coordinator of the Medium public organization.

In this article I tried to collect the most comprehensive information about what this decentralized Internet provider operating in the Russian Federation is.

I will tell:

What is a Medium?
What is Yggdrasil and why Medium uses it as the main transport
How to properly configure the environment to use the resources of the Medium network

What is a Medium?

Medium (Eng. Medium - “intermediary”, original slogan - Don’t ask for your privacy. Take it back ; also in English the word medium means “intermediate”) - a Russian decentralized Internet provider that provides access to the Yggdrasil network for free basis.

When, where, and why was Medium created?

Initially, the project was conceived as a Mesh network in the Kolomensky urban district .

Medium was established in April 2019 to create an independent telecommunication environment by providing end users with access to Yggdrasil network resources using Wi-Fi wireless technology.

Where can I find a complete list of all network points?
You can find it in the repository on GitHub .

What is Yggdrasil and why does Medium use it as its primary transport?

Yggdrasil is a self-organizing Mesh network with the ability to connect routers both in overlay mode (over the Internet) and directly to each other via a wired or wireless connection.

Yggdrasil is a continuation of the CjDNS project. The main difference between Yggdrasil and CjDNS is the use of the STP (spanning tree protocol) protocol.

By default, all network routers use end-to-end encryption to transfer data between other participants.

The choice of the Yggdrasil network as the main transport was due to the need to increase the connection speed (until August 2019, Medium used I2P ).

The transition to Yggdrasil also provided the project participants with the opportunity to start deploying a Mesh network with Full-Mesh topology. Such networking is the most effective antidote to censorship.

Yggdrasil uses end-to-end encryption by default. Why do Medium network services use HTTPS?

There is no need to use the HTTPS protocol to connect to web services on the Yggdrasil network if you connect to them through a locally working Yggdrasil network router.

Indeed: Yggdrasil transport at the protocol level allows you to safely use resources within the Yggdrasil network - the possibility of conducting a MITM attack is completely excluded.

The situation changes radically if you get access to the Yggdarsil intranet resources not directly, but through an intermediate node - the access point of the Medium network, which is administered by its operator.

Who in this case can compromise the data that you transmit:

  1. Access Point Operator . Obviously, the current Medium access point operator can listen to unencrypted traffic that passes through its equipment.
  2. Attacker (the man in the middle ). Medium has a problem similar to that of the Tor network , only with respect to the input and intermediate nodes.

This is how it looks

Solution : use the HTTPS protocol (level 7 of the OSI model ) to access web services within the Yggdrasil network. The problem is that it is not possible for Yggdrasil network services to issue a genuine security certificate by conventional means such as Let's Encrypt .

Therefore, we established our own certification authority - “Medium Global Root CA” . The vast majority of Medium network services are signed with the root security certificate of the Medium Domain Validation Secure Server CA intermediate certification authority.

The possibility of compromising the root certificate of the certification authority was certainly taken into account - but here the certificate is more necessary to confirm integrity during data transfer and exclude the possibility of MITM attacks.

The Medium network services from different operators have different security certificates, one way or another signed by the root certification authority. However, the operators of the root certification authority are not able to listen to the encrypted traffic of the services to which they signed the security certificates (see "What is CSR?" ).

Those who are especially concerned about their safety can use such tools as PGP and the like as additional protection.

At the moment, the Medium network public key infrastructure has the ability to verify the status of a certificate using the OCSP protocol or through the use of CRL .

Does Medium have its own domain name system?

Initially, the Medium network did not have a centralized domain name server that could allow network participants to access the most frequently visited resources in a simpler and more familiar form (as opposed to using an IPv6 address for a specific server).

We at Medium decided to breathe life into this idea - and, looking a little ahead, we did it!

Domain names are registered automatically - just enter the IPv6 address of the server on which the service is running. The robot will check whether this address really belongs to the person who is trying to register the domain name.

If successful, the domain name will be added to the domain name database within 24 hours. If the server stops responding to the robot and is unavailable for more than 72 hours, the domain name will be released.

Register domain name on :: 1 fails

A copy of the full list of registered domain names is in the repository on GitHub . This allows for maximum transparency regarding the current state of domain names and to exclude their blocking based on the possibility of an ambivalent situation due to the action of the human factor. Suddenly, the DNS operator will not like something .

What about issuing SSL certificates for web services?

The creation of a domain name server was also caused by the need to deploy a public key infrastructure - in order to issue a certificate, it requires the presence of a CN (Common Name) field, which is the domain name for which the certificate is issued.

The procedure for issuing certificates signed by a certification authority takes place automatically - the robot checks the correctness and authenticity of the data entered by the user. If successful, an email is sent to the end user, including a signed certificate.

Here is

How to configure the environment to use the resources of the Medium network?

The features of the process of setting up a working environment depend on the operating system that you are using.

Choose wisely (the picture is clickable):

Free Internet in Russia starts with you

You can provide all possible assistance to the establishment of a free Internet in Russia today. We have compiled an exhaustive list of exactly how you can help the network:

Tell your friends and colleagues about the Medium network
Share a link to this article on social networks or a personal blog.
Take part in the discussion of the technical issues of the Medium network on GitHub
Create your web service on the Yggdrasil network and add it to the Medium DNS network
Raise your Medium Access Point

Read also:

Honey we kill the internet
Decentralized Internet Service Provider Medium - Three Months Later
Medium is the first decentralized Internet service provider in Russia

We are on Telegram: @medium_isp

Source: https://habr.com/ru/post/463363/

All Articles