Fixing Flaws in the Original Design of the Internet: Trust-to-Trust Principle

Internet pioneer David Clark recently gave a lecture at Princeton and talked about how they didn’t have a good model for security in the design of the Internet and how we can take a systems/architecture approach to security.

Slide from David Clark’s lecture about history of Internet design (source)

My three main takeaways from the lecture were:

  1. The Chief Protocol Architect of the Internet (1981–1989) believes that security is the biggest problem with the Internet today.
  2. From the time you start your computer to the time you view a website, there are more than 10 parties/companies that you need to trust.
  3. The original end-to-end principle that guided Internet design for the past decades needs to evolve and explicitly incorporate trust.

David Clark and Marjory Blumentha laid out this evolution of the end-to-end principle in a 2011 article:

Excerpt from “The End-to-End Argument and Application Design: The Role of Trust”

According to the trust-to-trust principle, a new Internet design should:

  1. Give the end user explicit control over trust decisions, and
  2. Move trust from the core of the network to the edges.

This movement of trust from the core of the network to the edges is also called decentralization and marks a shift in how the Internet is evolving.

How the Internet Works Today:

Steps for connecting to facebook.com

When you type facebook.com in your browser, your browser (a) talks to the Domain Name System (DNS) to get the IP address of facebook.com, (b) confirms that you’re connecting to the correct Facebook using Public-key Infrastructure (PKI), and (c) loads the website from Facebook’s datacenter.

Simplified Internet Architecture (end-to-end)

DNS and PKI are part of core Internet infrastructure. End-users need to trust the DNS server they are talking to along with trusting the certificates served by PKI. These two archaic systems introduce central points of trust and failure in the Internet and have caused security issues e.g., in the case of fraudulent certificates for Google issued by the Turkish government.

How the Internet Should Work:

Alternate Internet Architecture (trust-to-trust)

A logical next step towards a new, more secure Internet is to remove any central points of trust from the core of the Internet. Following the trust-to-trust principle, DNS and PKI functionality for end-hosts should exist near the edges of the network and not in the core. In the figure above, DNS and PKI functionality is provided in local area networks trusted by end-hosts.

Pushing Trust to the Edges:

The trust-to-trust principle sounds great in theory, but can there be a real-world implementation for it? The answer is yes.

Let’s imagine a server that provides DNS and PKI functionality and runs in a (local) network you trust. This server needs two things:

  1. Decentralized Consensus: Ability to reach consensus with the rest of the network about the global state of the DNS and PKI system.
  2. Tamper Proofing: Mechanism to ensure that data records in the DNS and PKI system cannot be easily tampered with.

Blockchains are great at providing both these properties; nodes can independently reach consensus and tampering with data records requires an enormous amount of compute power. It’s not surprising that blockchains have been used to implement decentralized DNS and PKI systems e.g., Namecoin and, more recently, our work on Blockstack.

How Blockstack Works:

Blockstack implements a decentralized DNS and PKI system as a separate layer on top of the Bitcoin blockchain. You can install it by:

$ sudo pip install blockstack

By default the CLI talks to a remote server:

Output of the info command

You can start a local blockstack server and start using it:

$ blockstack-server --start --foreground

$ blockstack config --server=localhost

You can perform lookups to resolve names to data records:

Output of the lookup command

Checkout Blockstack tutorials and the academic paper for more details. Blockstack is one of the first implementations of an Internet model that follows David Clark’s trust-to-trust principle. We should’ve never trusted the Internet core to begin with, but it’s not too late to correct that mistake.


Comments? Tweet them @muneeb