Well, as I understood IPNS is a bit limited; it only has one resource and there is only one authority that can change content, the node in this case.

It does protect against DDOS, since old content remains visible and online but if the private key is leaked or the node is malicious, it has exactly 0 protection.

Even worse, if the private key is stolen, you can't do much about it unless you have DNS setup... which brings you back to centralized.

IPNS is bug Proof of Concept that mutable content is possible in IPFS, there is long running goal of InterPlanetary Record System that would include much more complex validity schemes including revokeation.

s/bug/big/ in my previous comment

Well, technically that's already possible by putting some form of index under the IPNS name. There is no real standard tho.

I'm curious what the impact will be of the upcoming improvements to easily support multiple IPNS entries on a single node, along with navigating the Ethereum blockchain, which I'm guessing will make more complex authority schemes easier?

Probably not but it should make them more robust.

On Ethereum you can model complex PKI which IPFS nodes can utilize to validate IPNS data.

IPNS data should be signed by external keys you can revoke and manage. Or ideally even encrypted.

If the key is leaked, it means someone can alter what the name points to, but all previous versions would still be available as far as I understand it.

No content is changed, only the pointer to the "newest" data.

That is true but most external or IPFS-external sites will probably want to point at the IPNS link, bookmarks are gonna point at the IPNS link, etc.

In the same way you could still use the old IP + header manipulation if someone took over a Domain in DNS, it's possible and you can use the old site but in reality you're gonna have lots of people on the malicious attacker's site.

I think that's an important distinction though, and it doesn't mesh with what I thought you meant by

> since old content remains visible and online but if the private key is leaked or the node is malicious, it has exactly 0 protection

The old content remains visible and online if the private key is leaked, afaik.

I think there was some discussion about having there be a chain, so each updated entry would point back to the previous one. I'm not sure where that is (and if it is) on the roadmap now, but that would also allow users to go back to a known good version. This mitigates some, though not all, problems.

>The old content remains visible and online if the private key is leaked, afaik.

The problem is that content that is not access becomes garbage collected and that links and listings will most likely not point towards the hash itself and instead at the IPNS entry.

It doesn't have much more protection than a DNS entry if the private key is stolen; you could use the last known IP but it's not very practical and might eventually become dead if the IP changes.

In the same way, the old content may remain online after an attacker takes over and people could continue using it but it only remains online if people are using it. If the attack remains unknown for long enough there is no previous version IIRC.

>I think there was some discussion about having there be a chain

Still same problem, if the private key gets leaked, a malicious attacker can manipulate the entries on the chain.

The real solution is something like Swarm or Filecoin where Users can actually encourage keeping old versions around, something IPFS lacks atm. Theoretically any IPFS link can become dead once it's no longer used, which is a problem.

Merely putting the entries on chain solves little, you need to actually encourage archiving of data to get resilient against attacks.

Even then, you would also need some sort of PKI, where someone can set a master key which authorizes other nodes to manipulate content and can also revoke that. This allows to easily fight off attacks based on leaked private keys.

However, the PKI should remain largely private, not much different to Bitcoin Cold and Hot Wallets.

I'm not sure what attack you're talking about then. If someone steals my key and points my IPNS location to a new file, I'd likely still be hosting the files right?

> you need to actually encourage archiving of data to get resilient against attacks.

Yes, but this feels like a distinct issue. Neither of these things are enough on their own (encouraging mirrors or providing the tech to distribute the hosting).

>I'd likely still be hosting the files right?

Yes but the entire web points to the wrong files since you no longer own the IPNS location.

It's similar to loosing access to your DNS configuration or loosing your GPG keys to an attacker.

> Yes but the entire web points to the wrong files since you no longer own the IPNS location.

Along with a link to all previous versions if there's a chain. And anyone pointing to a specific version will still see that rather than the new one.

> It's similar to loosing access to your DNS configuration

Yes.

> or loosing your GPG keys to an attacker.

I think that's a bit strong.

> >I think there was some discussion about having there be a chain

> Still same problem, if the private key gets leaked, a malicious attacker can manipulate the entries on the chain.

I'm really not sure that's right, IPNS doesn't give you the ability to edit content.

>And anyone pointing to a specific version will still see that rather than the new one.

That's an IPFS Hash tho, not IPNS. Differences matter.

>I think that's a bit strong.

Over time your IPNS could very well become your identity, linked everywhere in the net.

>IPNS doesn't give you the ability to edit content.

That is correct, but you can point at arbitrary content.

It's basically the equivalent to controlling the DNS A entry to a website, they can't modify the content and it's available under the same IP but they can still do a shitload of bad stuff because few people bother to actually link IP addresses.