1 00:00:01,280 --> 00:00:12,559 [Music] 2 00:00:15,200 --> 00:00:17,600 hello everyone as you can clearly see on 3 00:00:17,600 --> 00:00:18,880 the screen 4 00:00:18,880 --> 00:00:21,520 um the title of the talk is trusted cdns 5 00:00:21,520 --> 00:00:22,960 without gatekeepers so i'll be talking 6 00:00:22,960 --> 00:00:25,359 about web3 blockchain no i'm not no 7 00:00:25,359 --> 00:00:27,039 there's not going to be any any mention 8 00:00:27,039 --> 00:00:28,160 of blockchain 9 00:00:28,160 --> 00:00:29,279 um 10 00:00:29,279 --> 00:00:31,519 so uh trusted cdns without the 11 00:00:31,519 --> 00:00:34,399 gatekeepers uh who am i uh my name is 12 00:00:34,399 --> 00:00:36,320 mihao rishikovojniak 13 00:00:36,320 --> 00:00:37,440 um 14 00:00:37,440 --> 00:00:39,840 over the years i've i've been on all the 15 00:00:39,840 --> 00:00:41,680 different sides of of tech and internet 16 00:00:41,680 --> 00:00:43,760 i've been an activist i've been on the 17 00:00:43,760 --> 00:00:46,480 policy side somewhat i've been 18 00:00:46,480 --> 00:00:48,160 i handled tech support and information 19 00:00:48,160 --> 00:00:51,199 security for uh journalists and others 20 00:00:51,199 --> 00:00:52,960 at risk individuals 21 00:00:52,960 --> 00:00:55,120 and i managed infrastructure and now i'm 22 00:00:55,120 --> 00:00:57,280 doubling a little bit in in journalism 23 00:00:57,280 --> 00:00:59,199 in tech journalism myself 24 00:00:59,199 --> 00:01:03,120 but for the for the specific um 25 00:01:03,120 --> 00:01:05,680 uh for this specific talk what is what 26 00:01:05,680 --> 00:01:07,280 is probably most important is that i 27 00:01:07,280 --> 00:01:09,840 i've been a uh 28 00:01:09,840 --> 00:01:11,280 chief information security officer and 29 00:01:11,280 --> 00:01:13,200 head of infrastructure at occrp anybody 30 00:01:13,200 --> 00:01:15,360 remembers occrp 31 00:01:15,360 --> 00:01:18,560 um the panama papers says more yeah 32 00:01:18,560 --> 00:01:21,840 there we go that's yeah yeah so 33 00:01:21,840 --> 00:01:24,320 not surprisingly websites hosted by 34 00:01:24,320 --> 00:01:27,040 occrp tended to have very little traffic 35 00:01:27,040 --> 00:01:29,119 and then suddenly very very very much 36 00:01:29,119 --> 00:01:30,079 traffic 37 00:01:30,079 --> 00:01:32,079 uh so that was an interesting uh 38 00:01:32,079 --> 00:01:34,079 interesting thing that got me thinking 39 00:01:34,079 --> 00:01:37,200 about um how how can we make websites 40 00:01:37,200 --> 00:01:39,439 resilient how can we make websites you 41 00:01:39,439 --> 00:01:41,520 know stay up and running 42 00:01:41,520 --> 00:01:44,240 without relying on things like you know 43 00:01:44,240 --> 00:01:48,640 cloudflare uh because cloudflare um 44 00:01:48,640 --> 00:01:50,640 so um 45 00:01:50,640 --> 00:01:52,720 i've given a talk two years ago at hope 46 00:01:52,720 --> 00:01:55,200 2020 called censorship is no longer 47 00:01:55,200 --> 00:01:58,240 interpreted as damage and what i said in 48 00:01:58,240 --> 00:02:00,479 this talk uh are you looking at the 49 00:02:00,479 --> 00:02:02,640 screens is it is it visible okay so 50 00:02:02,640 --> 00:02:04,079 because there's going to be information 51 00:02:04,079 --> 00:02:05,920 on the on the slides but i will be also 52 00:02:05,920 --> 00:02:08,560 trying to say it all out loud so in that 53 00:02:08,560 --> 00:02:11,280 talk i covered 54 00:02:11,280 --> 00:02:13,440 the first part let's let's say of of 55 00:02:13,440 --> 00:02:16,080 making websites resilient and 56 00:02:16,080 --> 00:02:17,200 or my 57 00:02:17,200 --> 00:02:19,120 my idea of making websites resilient and 58 00:02:19,120 --> 00:02:21,440 that was a 59 00:02:21,440 --> 00:02:23,840 focused on sane website setup uh right 60 00:02:23,840 --> 00:02:25,680 don't have a wordpress with 50 plugins 61 00:02:25,680 --> 00:02:27,440 because that will make you cry and this 62 00:02:27,440 --> 00:02:29,280 will make your server cry and this will 63 00:02:29,280 --> 00:02:31,200 make your visitors cry 64 00:02:31,200 --> 00:02:33,200 caching and micro caching static site 65 00:02:33,200 --> 00:02:34,720 generators 66 00:02:34,720 --> 00:02:36,480 and coping with downtime when when that 67 00:02:36,480 --> 00:02:38,640 happens so i would implore you to watch 68 00:02:38,640 --> 00:02:41,200 that talk at some point but it's not 69 00:02:41,200 --> 00:02:42,879 necessary to 70 00:02:42,879 --> 00:02:44,959 have what have watched that talk to to 71 00:02:44,959 --> 00:02:46,480 be able to uh 72 00:02:46,480 --> 00:02:49,440 follow this talk uh but it's it it might 73 00:02:49,440 --> 00:02:51,920 be useful uh on its um 74 00:02:51,920 --> 00:02:54,319 on its own some of the things i will 75 00:02:54,319 --> 00:02:56,319 repeat a little bit uh from that talk 76 00:02:56,319 --> 00:02:58,560 here because they are relevant so 77 00:02:58,560 --> 00:03:01,200 anybody here runs a website that every 78 00:03:01,200 --> 00:03:03,200 now and then gets a bit of traffic that 79 00:03:03,200 --> 00:03:04,520 makes the server go like 80 00:03:04,520 --> 00:03:06,959 [Music] 81 00:03:06,959 --> 00:03:07,840 okay 82 00:03:07,840 --> 00:03:10,720 so uh my takeaway from from doing this 83 00:03:10,720 --> 00:03:13,040 and and and having dealt with downtime 84 00:03:13,040 --> 00:03:15,440 and all of that is that whatever it is 85 00:03:15,440 --> 00:03:18,560 it is almost certainly not a ddos you 86 00:03:18,560 --> 00:03:20,159 are almost certainly not dealing with 87 00:03:20,159 --> 00:03:21,760 the ddos your website is down not 88 00:03:21,760 --> 00:03:24,080 because of a ddos it is almost certainly 89 00:03:24,080 --> 00:03:25,680 down because it's probably just organic 90 00:03:25,680 --> 00:03:27,440 traffic that is hitting your uh your 91 00:03:27,440 --> 00:03:29,760 dynamic cms 92 00:03:29,760 --> 00:03:32,480 is the term dynamic cms 93 00:03:32,480 --> 00:03:35,120 understandable i assume it is right so 94 00:03:35,120 --> 00:03:37,440 it's things like wordpress right 95 00:03:37,440 --> 00:03:39,599 data is in the in the database somewhere 96 00:03:39,599 --> 00:03:41,120 then there's a bunch of code and for 97 00:03:41,120 --> 00:03:44,000 every request roughly uh you get the 98 00:03:44,000 --> 00:03:45,599 data gets pulled from the database you 99 00:03:45,599 --> 00:03:48,000 know html gets rendered pushed to the 100 00:03:48,000 --> 00:03:50,239 user right that's a lot of work 101 00:03:50,239 --> 00:03:51,440 um 102 00:03:51,440 --> 00:03:53,680 and and this means that there's uh you 103 00:03:53,680 --> 00:03:56,159 would be amazed how few uh requests per 104 00:03:56,159 --> 00:03:57,760 second the standard wordpress site can 105 00:03:57,760 --> 00:03:59,680 handle right unless you you're doing 106 00:03:59,680 --> 00:04:02,000 some fancy stuff like micro caching but 107 00:04:02,000 --> 00:04:04,239 then of course there are the plugins uh 108 00:04:04,239 --> 00:04:06,000 for cmss and i'm focusing on wordpress 109 00:04:06,000 --> 00:04:07,519 because it's the most popular one and 110 00:04:07,519 --> 00:04:09,599 and also it gave me the most grief 111 00:04:09,599 --> 00:04:13,040 uh but things like over 90 90 wordpress 112 00:04:13,040 --> 00:04:15,280 themes plugins backdoored in supply 113 00:04:15,280 --> 00:04:16,959 chain attack right 114 00:04:16,959 --> 00:04:18,478 uh yes that's that's what happens 115 00:04:18,478 --> 00:04:20,160 because you have a plugin that somebody 116 00:04:20,160 --> 00:04:22,960 wrote five years ago and then stopped 117 00:04:22,960 --> 00:04:24,800 you know updating 118 00:04:24,800 --> 00:04:27,680 uh and there's a bug or somebody sold 119 00:04:27,680 --> 00:04:28,960 the plugin 120 00:04:28,960 --> 00:04:31,360 to some other company that said hey 121 00:04:31,360 --> 00:04:32,720 we're going to buy and support your 122 00:04:32,720 --> 00:04:34,639 plugin here's some money thank you and 123 00:04:34,639 --> 00:04:35,840 now they have supply chain attack 124 00:04:35,840 --> 00:04:37,759 against any website using its plugin 125 00:04:37,759 --> 00:04:39,280 great right 126 00:04:39,280 --> 00:04:41,040 but thankfully you would not believe 127 00:04:41,040 --> 00:04:43,919 there are plugins for fixing compromised 128 00:04:43,919 --> 00:04:46,560 wordpress websites 129 00:04:46,560 --> 00:04:48,000 don't 130 00:04:48,000 --> 00:04:50,240 this is not the solution right uh just 131 00:04:50,240 --> 00:04:53,199 make regular tested backups 132 00:04:53,199 --> 00:04:55,520 another way of dealing with uh with uh 133 00:04:55,520 --> 00:04:58,320 let's say uh website downtime mainly 134 00:04:58,320 --> 00:04:59,919 when it's related to censorship right 135 00:04:59,919 --> 00:05:02,080 mainly when there are some bad people on 136 00:05:02,080 --> 00:05:03,680 the internet somewhere that decide you 137 00:05:03,680 --> 00:05:05,120 know what people should not see your 138 00:05:05,120 --> 00:05:06,560 website we don't like we don't like your 139 00:05:06,560 --> 00:05:07,759 website and nobody should like your 140 00:05:07,759 --> 00:05:08,960 website nobody 141 00:05:08,960 --> 00:05:10,639 should see your website 142 00:05:10,639 --> 00:05:13,600 is you know tor i2p these kinds of these 143 00:05:13,600 --> 00:05:15,840 kinds of tools that give people like us 144 00:05:15,840 --> 00:05:17,680 access to websites that other people 145 00:05:17,680 --> 00:05:20,000 don't want us to have access to right 146 00:05:20,000 --> 00:05:21,600 the problem with these tools these are 147 00:05:21,600 --> 00:05:23,600 amazing tools and i love them fondly and 148 00:05:23,600 --> 00:05:25,360 i use them all the time the problem with 149 00:05:25,360 --> 00:05:27,039 them from the perspective of a person 150 00:05:27,039 --> 00:05:29,600 running a popular ish news website is 151 00:05:29,600 --> 00:05:30,479 that 152 00:05:30,479 --> 00:05:31,360 it is 153 00:05:31,360 --> 00:05:32,240 uh 154 00:05:32,240 --> 00:05:33,680 unreasonable to expect that the 155 00:05:33,680 --> 00:05:35,120 population of a whole country switches 156 00:05:35,120 --> 00:05:37,360 to tor browser just to keep seeing your 157 00:05:37,360 --> 00:05:39,120 website that's not going to happen 158 00:05:39,120 --> 00:05:40,560 there's going to be a you know a bunch 159 00:05:40,560 --> 00:05:42,639 of people who will who will do this and 160 00:05:42,639 --> 00:05:45,360 i strongly strongly implore you to have 161 00:05:45,360 --> 00:05:46,800 a you know 162 00:05:46,800 --> 00:05:48,639 onion hidden service for your for your 163 00:05:48,639 --> 00:05:50,400 website that's always a good idea just 164 00:05:50,400 --> 00:05:52,080 just do it it's really not that much 165 00:05:52,080 --> 00:05:53,440 work 166 00:05:53,440 --> 00:05:54,560 but 167 00:05:54,560 --> 00:05:56,400 but 168 00:05:56,400 --> 00:05:57,600 making sure that your website is 169 00:05:57,600 --> 00:05:59,039 available in places where it might be 170 00:05:59,039 --> 00:06:01,759 censored is not a tor shaped problem tor 171 00:06:01,759 --> 00:06:03,600 shape's problem is i want to have access 172 00:06:03,600 --> 00:06:05,759 to a website that is censored it's not 173 00:06:05,759 --> 00:06:07,520 i want my website to be accessible to 174 00:06:07,520 --> 00:06:09,680 everyone uh for whom it is censored 175 00:06:09,680 --> 00:06:11,759 right it's just the other side of the 176 00:06:11,759 --> 00:06:14,000 coin 177 00:06:14,479 --> 00:06:16,800 so yeah like website visitors or your 178 00:06:16,800 --> 00:06:18,720 website visitors will not switch to 179 00:06:18,720 --> 00:06:21,600 those tools uh on mass and the same goes 180 00:06:21,600 --> 00:06:23,600 for brave same goes for the changing dns 181 00:06:23,600 --> 00:06:24,880 settings all of this we've seen 182 00:06:24,880 --> 00:06:26,160 situations where 183 00:06:26,160 --> 00:06:28,000 changing dns settings did happen and 184 00:06:28,000 --> 00:06:29,919 mass right but that is not something you 185 00:06:29,919 --> 00:06:31,680 can really expect and rely on if you're 186 00:06:31,680 --> 00:06:33,919 running a website uh that you want to 187 00:06:33,919 --> 00:06:36,000 stay up uh in places like i don't know 188 00:06:36,000 --> 00:06:38,560 azerbaijan right 189 00:06:38,560 --> 00:06:39,919 so 190 00:06:39,919 --> 00:06:42,240 then you know the the standard response 191 00:06:42,240 --> 00:06:44,319 is well you can always use cloudflare 192 00:06:44,319 --> 00:06:47,280 right cloudflare is great 193 00:06:47,280 --> 00:06:51,199 and uh apparently about like 19 19 of 194 00:06:51,199 --> 00:06:53,280 all websites think that this is a good 195 00:06:53,280 --> 00:06:54,319 solution 196 00:06:54,319 --> 00:06:56,960 and just by the by the virtue of that 197 00:06:56,960 --> 00:06:59,039 number that tells me that this is not a 198 00:06:59,039 --> 00:07:01,360 good solution right like centralizing 199 00:07:01,360 --> 00:07:05,039 things giving 20 almost 20 200 00:07:05,039 --> 00:07:07,919 of all websites to be controlled and man 201 00:07:07,919 --> 00:07:10,240 in the middle by a single company 202 00:07:10,240 --> 00:07:12,000 yeah i i don't think i don't think 203 00:07:12,000 --> 00:07:14,080 that's a great solution i'm i'm sure 204 00:07:14,080 --> 00:07:16,479 that cloudflare service is is great but 205 00:07:16,479 --> 00:07:18,160 it's it's just it does it strikes me as 206 00:07:18,160 --> 00:07:19,759 a little bit um 207 00:07:19,759 --> 00:07:22,639 uh odd especially that those those 208 00:07:22,639 --> 00:07:24,400 companies will drop your site like a hot 209 00:07:24,400 --> 00:07:26,479 potato if it's just unconvenient for 210 00:07:26,479 --> 00:07:29,919 them to continue hosting your site 211 00:07:29,919 --> 00:07:32,639 and as as the ceo of cloudflare said 212 00:07:32,639 --> 00:07:34,720 right after they took down daily stormer 213 00:07:34,720 --> 00:07:35,759 um 214 00:07:35,759 --> 00:07:37,680 a small number of companies will largely 215 00:07:37,680 --> 00:07:39,680 determine what can and cannot be online 216 00:07:39,680 --> 00:07:42,720 and as much as as i am the on the polar 217 00:07:42,720 --> 00:07:44,720 opposite of political spectrum as from 218 00:07:44,720 --> 00:07:49,039 the daily stormer uh i also find this 219 00:07:49,039 --> 00:07:51,599 disturbing right this is too much power 220 00:07:51,599 --> 00:07:54,160 for a private company to be able to say 221 00:07:54,160 --> 00:07:55,919 we have you know almost 20 222 00:07:55,919 --> 00:07:58,400 websites of like all of the whole 223 00:07:58,400 --> 00:08:00,560 internet uh we can just decide which 224 00:08:00,560 --> 00:08:02,560 ones stay up and which would go down 225 00:08:02,560 --> 00:08:04,080 that's great right 226 00:08:04,080 --> 00:08:05,360 um 227 00:08:05,360 --> 00:08:06,800 so uh 228 00:08:06,800 --> 00:08:08,960 we will have a talk uh hands up who will 229 00:08:08,960 --> 00:08:11,280 have a talk with me boom these guys uh 230 00:08:11,280 --> 00:08:15,039 in two hours at 4 p.m in envelope 231 00:08:15,039 --> 00:08:16,960 not talk sorry workshop on making sense 232 00:08:16,960 --> 00:08:18,639 of social media freedom speech freedom 233 00:08:18,639 --> 00:08:20,319 of speech and fascists 234 00:08:20,319 --> 00:08:22,000 and i do have opinions on the daily 235 00:08:22,000 --> 00:08:24,160 stormer situation but this talk is not 236 00:08:24,160 --> 00:08:25,599 about that the workshop will be more 237 00:08:25,599 --> 00:08:27,280 about that so if if you want to have 238 00:08:27,280 --> 00:08:29,199 this conversation let's have it there 239 00:08:29,199 --> 00:08:30,960 um 240 00:08:30,960 --> 00:08:33,760 today yeah 4 pm envelope 241 00:08:33,760 --> 00:08:38,479 and so but the problem with centralizing 242 00:08:38,479 --> 00:08:40,640 putting all of our eggs in in those few 243 00:08:40,640 --> 00:08:43,039 few baskets like amazon aws 244 00:08:43,039 --> 00:08:44,000 uh 245 00:08:44,000 --> 00:08:46,320 cloudflare fastly akamai these guys 246 00:08:46,320 --> 00:08:48,320 right it's not just that that the 247 00:08:48,320 --> 00:08:50,399 decision that they might make right it's 248 00:08:50,399 --> 00:08:51,680 not just like oh we don't like this 249 00:08:51,680 --> 00:08:53,120 website we're gonna take you down 250 00:08:53,120 --> 00:08:54,480 because they're too big an operation to 251 00:08:54,480 --> 00:08:56,480 really care about most of those websites 252 00:08:56,480 --> 00:08:57,680 uh but 253 00:08:57,680 --> 00:08:59,200 the bigger the bigger problem is also 254 00:08:59,200 --> 00:09:02,000 that all of those companies um 255 00:09:02,000 --> 00:09:04,880 tend to go down on a regular basis 256 00:09:04,880 --> 00:09:08,160 have you noticed this like so uh fastly 257 00:09:08,160 --> 00:09:12,480 outage june 22nd to 2021 akamai a major 258 00:09:12,480 --> 00:09:15,839 outage due to dns bugs uh it's never it 259 00:09:15,839 --> 00:09:18,959 cannot be dns it's never dns it was dns 260 00:09:18,959 --> 00:09:21,680 uh july 23rd last year 261 00:09:21,680 --> 00:09:24,560 then amazon web services uh third outage 262 00:09:24,560 --> 00:09:27,200 in a month december 22nd last year and 263 00:09:27,200 --> 00:09:29,920 cloudflare outage june 21st 264 00:09:29,920 --> 00:09:32,560 today right if you have if you happen to 265 00:09:32,560 --> 00:09:34,240 use all four of them 266 00:09:34,240 --> 00:09:36,399 right and i have seen websites that use 267 00:09:36,399 --> 00:09:38,640 all four of them for some inexplicable 268 00:09:38,640 --> 00:09:40,959 reason because it's just easier to you 269 00:09:40,959 --> 00:09:43,600 know uh hotlink a a piece of javascript 270 00:09:43,600 --> 00:09:45,519 from fastly and you know you have some 271 00:09:45,519 --> 00:09:47,120 of your content on akamai and then you 272 00:09:47,120 --> 00:09:48,560 have some your website is behind 273 00:09:48,560 --> 00:09:50,399 cloudflare and then there's something on 274 00:09:50,399 --> 00:09:52,160 cloudfront because somebody put it there 275 00:09:52,160 --> 00:09:53,680 what are you what you're gonna do right 276 00:09:53,680 --> 00:09:55,680 now you have all of those four companies 277 00:09:55,680 --> 00:09:57,279 all of their infrastructure has to stay 278 00:09:57,279 --> 00:10:00,080 up for your website to stay up and over 279 00:10:00,080 --> 00:10:01,279 the last year 280 00:10:01,279 --> 00:10:03,200 more than four times they went down 281 00:10:03,200 --> 00:10:05,040 right so now you quadrupled your chance 282 00:10:05,040 --> 00:10:07,519 that your website will be down and 283 00:10:07,519 --> 00:10:09,600 um 284 00:10:09,600 --> 00:10:10,959 yeah 285 00:10:10,959 --> 00:10:12,399 and there's nothing really you can do 286 00:10:12,399 --> 00:10:14,720 once once once it down like an outage 287 00:10:14,720 --> 00:10:16,480 like this hits right because you don't 288 00:10:16,480 --> 00:10:17,680 know how long it will be you don't know 289 00:10:17,680 --> 00:10:20,320 how much energy you can 290 00:10:20,320 --> 00:10:22,240 uh invest into this and because maybe 291 00:10:22,240 --> 00:10:23,760 that will be up in five minutes or you 292 00:10:23,760 --> 00:10:25,839 know three hours or it's a facebook 293 00:10:25,839 --> 00:10:27,680 shaped uh 294 00:10:27,680 --> 00:10:29,519 screw-up and you know 295 00:10:29,519 --> 00:10:31,519 how long is the eight hours of global 296 00:10:31,519 --> 00:10:34,160 outage that was fascinating 297 00:10:34,160 --> 00:10:35,120 anyway 298 00:10:35,120 --> 00:10:39,200 the point is people make mistakes 299 00:10:39,519 --> 00:10:40,959 yes people make mistakes there should be 300 00:10:40,959 --> 00:10:42,320 okay there 301 00:10:42,320 --> 00:10:45,279 software has bugs and hardware fails and 302 00:10:45,279 --> 00:10:48,560 monocultures are not resilient right uh 303 00:10:48,560 --> 00:10:51,440 if you have if you have plenty of small 304 00:10:51,440 --> 00:10:54,640 companies that handle a small part of of 305 00:10:54,640 --> 00:10:57,040 the internet infrastructure then any 306 00:10:57,040 --> 00:10:58,560 single one of them going down is not 307 00:10:58,560 --> 00:11:00,800 that much of a deal right a person 308 00:11:00,800 --> 00:11:02,560 making a mistake at like a small 309 00:11:02,560 --> 00:11:04,800 provider somewhere yes some users will 310 00:11:04,800 --> 00:11:06,640 lose access to the internet or some 311 00:11:06,640 --> 00:11:09,040 websites will go down but it's not 20 of 312 00:11:09,040 --> 00:11:10,800 the internet going down because somebody 313 00:11:10,800 --> 00:11:12,240 made a mistake or some software had a 314 00:11:12,240 --> 00:11:14,640 bug right where you put all your eggs in 315 00:11:14,640 --> 00:11:16,720 in those few huge gigantic 316 00:11:16,720 --> 00:11:19,440 enormous galaxy sized baskets 317 00:11:19,440 --> 00:11:21,279 then a a 318 00:11:21,279 --> 00:11:24,320 proper proper bug proper correct 319 00:11:24,320 --> 00:11:26,480 correctly placed a mistake 320 00:11:26,480 --> 00:11:28,480 will take 20 of the internet down and 321 00:11:28,480 --> 00:11:31,360 that's kind of you know not really okay 322 00:11:31,360 --> 00:11:35,120 uh and then who here uses cloudflare 323 00:11:35,120 --> 00:11:38,880 yes so if something goes pear-shaped uh 324 00:11:38,880 --> 00:11:41,600 really pear-shaped uh switching from 325 00:11:41,600 --> 00:11:43,040 cloudflare to 326 00:11:43,040 --> 00:11:44,640 like to get your website off of 327 00:11:44,640 --> 00:11:46,959 cloudflare can take up to 48 hours right 328 00:11:46,959 --> 00:11:48,320 because you have to make you have to 329 00:11:48,320 --> 00:11:50,000 move the ns records you have to move the 330 00:11:50,000 --> 00:11:52,480 name servers somewhere else and ttl on 331 00:11:52,480 --> 00:11:54,480 those is usually 24 hours 332 00:11:54,480 --> 00:11:56,480 uh and then caching so 333 00:11:56,480 --> 00:11:57,760 now you have now you now you have to 334 00:11:57,760 --> 00:11:59,040 make a decision do you wait for 335 00:11:59,040 --> 00:12:01,600 cloudflare to go up or you wait 48 hours 336 00:12:01,600 --> 00:12:03,600 for your website to you know start uh 337 00:12:03,600 --> 00:12:05,360 start working again 338 00:12:05,360 --> 00:12:07,519 this is this is i find that problematic 339 00:12:07,519 --> 00:12:08,639 right 340 00:12:08,639 --> 00:12:10,560 on the other hand of course it would be 341 00:12:10,560 --> 00:12:12,160 quite unreasonable to expect that every 342 00:12:12,160 --> 00:12:13,839 news website or investigative journalism 343 00:12:13,839 --> 00:12:15,440 outlet or or you know human rights 344 00:12:15,440 --> 00:12:17,519 organization would roll 345 00:12:17,519 --> 00:12:20,000 out their own self-hosted infrastructure 346 00:12:20,000 --> 00:12:21,760 that would be the size of cloudflare so 347 00:12:21,760 --> 00:12:25,519 that it would uh it could uh ingest or 348 00:12:25,519 --> 00:12:27,600 handle huge spikes of traffic and 349 00:12:27,600 --> 00:12:29,279 gigantic ddoses and all that that's not 350 00:12:29,279 --> 00:12:30,959 going to happen right those 351 00:12:30,959 --> 00:12:32,720 organizations are sadly 352 00:12:32,720 --> 00:12:34,480 extremely underfunded they're running on 353 00:12:34,480 --> 00:12:35,760 shoestring 354 00:12:35,760 --> 00:12:38,240 budgets if there are any founders of 355 00:12:38,240 --> 00:12:40,480 founders here please by all means fund 356 00:12:40,480 --> 00:12:42,000 those organizations more especially 357 00:12:42,000 --> 00:12:43,680 their their tech departments they really 358 00:12:43,680 --> 00:12:46,320 really need this and funding tech uh 359 00:12:46,320 --> 00:12:47,360 like infrastructure in those 360 00:12:47,360 --> 00:12:48,800 organizations and information security 361 00:12:48,800 --> 00:12:50,639 in those organizations somehow is not 362 00:12:50,639 --> 00:12:52,560 considered sexy 363 00:12:52,560 --> 00:12:54,560 whatever that means 364 00:12:54,560 --> 00:12:57,200 please reconsider if if 365 00:12:57,200 --> 00:12:58,959 if you have the the power to fund those 366 00:12:58,959 --> 00:13:01,200 organizations a little bit better but 367 00:13:01,200 --> 00:13:04,720 yes infrastructure is expensive and 368 00:13:04,720 --> 00:13:07,279 no single organization will be able to 369 00:13:07,279 --> 00:13:09,279 you know deploy a large enough 370 00:13:09,279 --> 00:13:11,519 infrastructure to to be able to 371 00:13:11,519 --> 00:13:13,760 withstand huge spikes of traffic on 372 00:13:13,760 --> 00:13:15,600 their own this is just not not going to 373 00:13:15,600 --> 00:13:18,000 happen hence we have cloudflares and 374 00:13:18,000 --> 00:13:20,959 akamais of this world but maybe those 375 00:13:20,959 --> 00:13:22,800 costs could be shared maybe we could 376 00:13:22,800 --> 00:13:24,800 pool those resources right maybe we 377 00:13:24,800 --> 00:13:26,000 could have 378 00:13:26,000 --> 00:13:28,240 multiple organizations saying look we 379 00:13:28,240 --> 00:13:29,600 have an infrastructure usually our 380 00:13:29,600 --> 00:13:32,880 traffic is you know let's say 10 of our 381 00:13:32,880 --> 00:13:36,480 of our capacity right uh so we have 90 382 00:13:36,480 --> 00:13:39,040 margin in case our traffic goes up let's 383 00:13:39,040 --> 00:13:40,959 say we have 10 of those organizations 384 00:13:40,959 --> 00:13:43,199 pulling resources and saying 385 00:13:43,199 --> 00:13:45,360 so now we suddenly have access to the 386 00:13:45,360 --> 00:13:47,360 bandwidth of all of those organizations 387 00:13:47,360 --> 00:13:49,680 if hits the fan on our website we 388 00:13:49,680 --> 00:13:52,800 can rely on this bandwidth right 389 00:13:52,800 --> 00:13:55,839 so that's kind of that's kind of the 390 00:13:55,839 --> 00:13:58,720 idea that i have of trying to 391 00:13:58,720 --> 00:13:59,839 create a 392 00:13:59,839 --> 00:14:01,440 piece of software that would allow us to 393 00:14:01,440 --> 00:14:03,600 build a community cdn 394 00:14:03,600 --> 00:14:05,440 that multiple organizations could come 395 00:14:05,440 --> 00:14:07,279 together and say you know use we're 396 00:14:07,279 --> 00:14:09,120 using this software on our website and 397 00:14:09,120 --> 00:14:11,760 if if our website goes you know if our 398 00:14:11,760 --> 00:14:13,600 infrastructure goes down the website 399 00:14:13,600 --> 00:14:15,440 will continue to stay up 400 00:14:15,440 --> 00:14:17,600 thanks to the other organizations in our 401 00:14:17,600 --> 00:14:19,360 little cluster in our little community 402 00:14:19,360 --> 00:14:20,959 right and 403 00:14:20,959 --> 00:14:22,800 the way it would have to work 404 00:14:22,800 --> 00:14:24,320 is uh 405 00:14:24,320 --> 00:14:26,000 pooling the infrastructure and resources 406 00:14:26,000 --> 00:14:28,560 of multiple organizations 407 00:14:28,560 --> 00:14:31,760 and originally no new infrastructure uh 408 00:14:31,760 --> 00:14:34,240 uh investment should be necessary right 409 00:14:34,240 --> 00:14:35,440 because that's not gonna happen you're 410 00:14:35,440 --> 00:14:37,680 not gonna convince uh you know 10 ngos 411 00:14:37,680 --> 00:14:40,560 like hey how about you invest a lot into 412 00:14:40,560 --> 00:14:42,959 this shiny new thing to build this whole 413 00:14:42,959 --> 00:14:44,160 new infrastructure that's not going to 414 00:14:44,160 --> 00:14:45,760 happen right so this has to work on the 415 00:14:45,760 --> 00:14:47,279 infrastructure they all they already 416 00:14:47,279 --> 00:14:49,600 have if they're self-hosting right uh 417 00:14:49,600 --> 00:14:50,880 there's there has to be minimal 418 00:14:50,880 --> 00:14:53,519 organizational overhead no new entity or 419 00:14:53,519 --> 00:14:55,040 organization or anything like that that 420 00:14:55,040 --> 00:14:57,040 needs to be set up and saying okay we're 421 00:14:57,040 --> 00:14:59,279 gonna you know set up a new organization 422 00:14:59,279 --> 00:15:01,120 put all of our infrastructure budget in 423 00:15:01,120 --> 00:15:02,959 that organization and that will 424 00:15:02,959 --> 00:15:05,440 like uh handle the infrastructure needs 425 00:15:05,440 --> 00:15:06,720 for all of those organizations the 426 00:15:06,720 --> 00:15:08,399 cluster that's not gonna happen because 427 00:15:08,399 --> 00:15:10,079 that's too much organizational overhead 428 00:15:10,079 --> 00:15:12,240 right those organizations will not agree 429 00:15:12,240 --> 00:15:13,519 uh 430 00:15:13,519 --> 00:15:16,000 to to do this because it also gives away 431 00:15:16,000 --> 00:15:17,920 a little bit of power it also gives away 432 00:15:17,920 --> 00:15:19,519 a little bit of control and that's kind 433 00:15:19,519 --> 00:15:20,800 of like 434 00:15:20,800 --> 00:15:21,839 difficult 435 00:15:21,839 --> 00:15:23,120 uh 436 00:15:23,120 --> 00:15:24,880 this uh the thing that i'm thinking 437 00:15:24,880 --> 00:15:26,480 about and i will start describing it in 438 00:15:26,480 --> 00:15:27,600 a moment 439 00:15:27,600 --> 00:15:30,160 would kick in only when a site is down 440 00:15:30,160 --> 00:15:31,839 the reason why i think this is a good 441 00:15:31,839 --> 00:15:34,000 thing and not everyone might agree the 442 00:15:34,000 --> 00:15:35,360 reason why i think it's a good thing is 443 00:15:35,360 --> 00:15:36,880 because you can tell all those let's say 444 00:15:36,880 --> 00:15:39,199 10 organizations look we're building 445 00:15:39,199 --> 00:15:41,440 this cluster this magical community cdn 446 00:15:41,440 --> 00:15:44,720 cluster thing uh but until the websites 447 00:15:44,720 --> 00:15:47,120 are running fine you will not have any 448 00:15:47,120 --> 00:15:50,240 new bandwidth costs right no random band 449 00:15:50,240 --> 00:15:52,320 no no random requests will start hitting 450 00:15:52,320 --> 00:15:54,000 your infrastructure immediately it's 451 00:15:54,000 --> 00:15:55,440 only where something when something is 452 00:15:55,440 --> 00:15:57,040 actually happening 453 00:15:57,040 --> 00:15:58,800 with with website of one of those 454 00:15:58,800 --> 00:16:00,560 organizations where when when the 455 00:16:00,560 --> 00:16:01,839 bandwidth of other organizations is 456 00:16:01,839 --> 00:16:04,079 starting to be used right 457 00:16:04,079 --> 00:16:07,680 uh no tls private keys shared and no 458 00:16:07,680 --> 00:16:09,839 other kind of benevolent monster in the 459 00:16:09,839 --> 00:16:11,920 middle situation right if you're using 460 00:16:11,920 --> 00:16:14,320 cloudflare cloudflare sits like uh 461 00:16:14,320 --> 00:16:17,040 terminates your tls uh so it can 462 00:16:17,040 --> 00:16:18,480 technically see 463 00:16:18,480 --> 00:16:20,720 your traffic and and all of this this is 464 00:16:20,720 --> 00:16:22,639 not something that i would be okay with 465 00:16:22,639 --> 00:16:24,160 and and many organizations that i'm 466 00:16:24,160 --> 00:16:26,000 thinking about of like 467 00:16:26,000 --> 00:16:27,199 suggesting that they should use this 468 00:16:27,199 --> 00:16:29,120 kind of approach would also not be okay 469 00:16:29,120 --> 00:16:30,480 with um 470 00:16:30,480 --> 00:16:31,920 which is one of the reasons why some of 471 00:16:31,920 --> 00:16:33,519 those organizations are just not using 472 00:16:33,519 --> 00:16:36,000 cloudflare uh so i also want to avoid 473 00:16:36,000 --> 00:16:36,880 this 474 00:16:36,880 --> 00:16:38,639 monster in the middle situation 475 00:16:38,639 --> 00:16:40,720 uh and it absolutely has to be 476 00:16:40,720 --> 00:16:42,720 transparent for visitors in the sense of 477 00:16:42,720 --> 00:16:45,600 no no uh special software or a special 478 00:16:45,600 --> 00:16:47,519 setup needed on the part of visitors 479 00:16:47,519 --> 00:16:49,600 right a person who had been visiting 480 00:16:49,600 --> 00:16:52,000 your website should for them the website 481 00:16:52,000 --> 00:16:54,480 should just work even if it doesn't uh i 482 00:16:54,480 --> 00:16:56,240 know it sounds weird but trust me we're 483 00:16:56,240 --> 00:16:58,480 going to get there right 484 00:16:58,480 --> 00:17:00,639 and the reason why this is important is 485 00:17:00,639 --> 00:17:02,480 what i said before right 486 00:17:02,480 --> 00:17:03,920 millions of people in the country will 487 00:17:03,920 --> 00:17:05,439 not download the tor browser millions of 488 00:17:05,439 --> 00:17:06,720 people in the country will not download 489 00:17:06,720 --> 00:17:08,959 your special snowflake solution to 490 00:17:08,959 --> 00:17:10,400 whatever problem you're trying to to 491 00:17:10,400 --> 00:17:12,720 solve you have to like 492 00:17:12,720 --> 00:17:14,079 my my 493 00:17:14,079 --> 00:17:16,880 my aim is to try to figure out a way uh 494 00:17:16,880 --> 00:17:19,439 such that uh visitors don't have to do 495 00:17:19,439 --> 00:17:21,039 anything right website admins deploy 496 00:17:21,039 --> 00:17:22,799 this and visitors like okay yeah it 497 00:17:22,799 --> 00:17:24,480 works oh it works a little bit slower i 498 00:17:24,480 --> 00:17:25,679 wonder what's happening what's happening 499 00:17:25,679 --> 00:17:26,880 is your website is down and now it's 500 00:17:26,880 --> 00:17:28,400 pulling content from somewhere else but 501 00:17:28,400 --> 00:17:29,840 the visitor is like yeah okay that just 502 00:17:29,840 --> 00:17:32,400 works fine 503 00:17:32,400 --> 00:17:34,480 there are quite a few assumptions here 504 00:17:34,480 --> 00:17:36,400 uh so this will not work for certain 505 00:17:36,400 --> 00:17:38,240 situations one of the assumptions is 506 00:17:38,240 --> 00:17:39,600 that the visitors must be using modern 507 00:17:39,600 --> 00:17:41,679 mainstream browsers because 508 00:17:41,679 --> 00:17:44,320 i'm relying heavily on 509 00:17:44,320 --> 00:17:45,440 modern 510 00:17:45,440 --> 00:17:46,400 you know web 511 00:17:46,400 --> 00:17:48,480 apis and stuff i will explain in a 512 00:17:48,480 --> 00:17:50,559 moment and javascript has to be enabled 513 00:17:50,559 --> 00:17:53,280 so again not everyone uh not everyone 514 00:17:53,280 --> 00:17:55,039 will be happy right that's why i said 515 00:17:55,039 --> 00:17:56,720 run an onion 516 00:17:56,720 --> 00:17:59,039 onion hidden service for everyone who is 517 00:17:59,039 --> 00:18:01,039 not happy with this setup because they 518 00:18:01,039 --> 00:18:02,400 will probably have a tor browser already 519 00:18:02,400 --> 00:18:03,840 and they will be very happy to use it 520 00:18:03,840 --> 00:18:06,080 right 521 00:18:06,400 --> 00:18:08,640 as i do 522 00:18:08,640 --> 00:18:09,520 this 523 00:18:09,520 --> 00:18:10,960 the solution that i'll be talking about 524 00:18:10,960 --> 00:18:12,640 is not going to work for massively 525 00:18:12,640 --> 00:18:14,799 dynamic web applications think facebook 526 00:18:14,799 --> 00:18:17,840 or or twitter like twitter shaped things 527 00:18:17,840 --> 00:18:19,840 right where the content just flows 528 00:18:19,840 --> 00:18:22,320 constantly and and all of that right 529 00:18:22,320 --> 00:18:24,320 this is uh this is more i'm focusing 530 00:18:24,320 --> 00:18:25,280 more on 531 00:18:25,280 --> 00:18:28,080 somewhat static sites think news sites 532 00:18:28,080 --> 00:18:30,080 right where there's a 533 00:18:30,080 --> 00:18:31,760 bit of content published every now and 534 00:18:31,760 --> 00:18:32,960 then and every now and then of course 535 00:18:32,960 --> 00:18:35,520 can be uh can be quite frequently it can 536 00:18:35,520 --> 00:18:36,960 be you know many times a day or many 537 00:18:36,960 --> 00:18:40,960 times an hour but the the let's say 538 00:18:40,960 --> 00:18:44,400 the shape of content is kind of like 539 00:18:44,400 --> 00:18:46,240 uh it can be approximated by a static 540 00:18:46,240 --> 00:18:48,000 site right it can still be a dynamic 541 00:18:48,000 --> 00:18:49,679 site can still you know do dynamic 542 00:18:49,679 --> 00:18:52,320 things but you you should be able to 543 00:18:52,320 --> 00:18:53,280 cache 544 00:18:53,280 --> 00:18:55,280 a piece of content right as let's say 545 00:18:55,280 --> 00:18:57,520 html html file or statify the site 546 00:18:57,520 --> 00:18:59,440 somehow right 547 00:18:59,440 --> 00:19:00,559 so so 548 00:19:00,559 --> 00:19:02,799 yeah 549 00:19:02,960 --> 00:19:04,960 obviously this has to work with any any 550 00:19:04,960 --> 00:19:07,600 content type but currently huge files 551 00:19:07,600 --> 00:19:09,760 are tricky for reasons that might become 552 00:19:09,760 --> 00:19:11,120 obvious in a moment 553 00:19:11,120 --> 00:19:13,360 uh and video streaming is really not a 554 00:19:13,360 --> 00:19:15,360 thing with uh with with what i'm 555 00:19:15,360 --> 00:19:17,520 building uh because i have to somehow 556 00:19:17,520 --> 00:19:20,799 limit the the scope right there's 557 00:19:20,799 --> 00:19:22,320 trying to do everything at the same time 558 00:19:22,320 --> 00:19:23,760 is going to be 559 00:19:23,760 --> 00:19:25,840 difficult and finally and i promise this 560 00:19:25,840 --> 00:19:28,960 is the last slide about assumptions 561 00:19:28,960 --> 00:19:31,520 it is not meant for sensitive content 562 00:19:31,520 --> 00:19:34,240 this this this tool is meant for 563 00:19:34,240 --> 00:19:35,760 the point of this tool is keeping public 564 00:19:35,760 --> 00:19:38,160 content online it's not about you know 565 00:19:38,160 --> 00:19:39,600 distributing sensitive content if you 566 00:19:39,600 --> 00:19:41,919 need this kind of stuff again hidden 567 00:19:41,919 --> 00:19:43,760 onion services like authorized hidden 568 00:19:43,760 --> 00:19:45,679 onion services there's plenty of tools 569 00:19:45,679 --> 00:19:47,919 for for for that kind of thing and it's 570 00:19:47,919 --> 00:19:49,440 not meant for your 571 00:19:49,440 --> 00:19:51,600 for any after login area of the website 572 00:19:51,600 --> 00:19:53,280 so it's not meant to 573 00:19:53,280 --> 00:19:56,080 keep your admin interface running it is 574 00:19:56,080 --> 00:19:58,720 meant to keep your public site running 575 00:19:58,720 --> 00:20:01,120 if like solutions for keeping the admin 576 00:20:01,120 --> 00:20:02,960 interface running can be different there 577 00:20:02,960 --> 00:20:05,280 you can have a special vpn or you know 578 00:20:05,280 --> 00:20:07,039 all of these things and i'm happy to 579 00:20:07,039 --> 00:20:08,880 talk about this uh you know after the 580 00:20:08,880 --> 00:20:10,880 after the talk with with you if you if 581 00:20:10,880 --> 00:20:12,720 you would like to to hear my my thoughts 582 00:20:12,720 --> 00:20:15,679 about this uh but this specifically 583 00:20:15,679 --> 00:20:18,159 focuses on the public side like a public 584 00:20:18,159 --> 00:20:19,679 public content on your 585 00:20:19,679 --> 00:20:20,960 uh 586 00:20:20,960 --> 00:20:23,760 on your website uh and 587 00:20:23,760 --> 00:20:26,159 splitting it this way also i feel has 588 00:20:26,159 --> 00:20:28,400 security benefits right because if you 589 00:20:28,400 --> 00:20:29,840 if you split it this way your public 590 00:20:29,840 --> 00:20:32,159 site is public right but it has no way 591 00:20:32,159 --> 00:20:34,559 of interfacing with the with the admin 592 00:20:34,559 --> 00:20:36,799 uh interface that means that you know a 593 00:20:36,799 --> 00:20:39,360 script kitty will not use a 594 00:20:39,360 --> 00:20:41,840 wordpress bug to take over your site 595 00:20:41,840 --> 00:20:42,720 right 596 00:20:42,720 --> 00:20:44,799 but that's somewhat beside the point 597 00:20:44,799 --> 00:20:46,400 okay 598 00:20:46,400 --> 00:20:49,520 i mentioned same setup um 599 00:20:49,520 --> 00:20:51,039 and and i will just go quickly through 600 00:20:51,039 --> 00:20:52,240 this what this means to me as i 601 00:20:52,240 --> 00:20:54,240 mentioned is limiting plugins and 602 00:20:54,240 --> 00:20:56,400 complexity um 603 00:20:56,400 --> 00:20:58,320 static site generators if it's something 604 00:20:58,320 --> 00:20:59,919 that can work for you i would strongly 605 00:20:59,919 --> 00:21:01,520 recommend this if you want your your 606 00:21:01,520 --> 00:21:04,080 website to be you know uh 607 00:21:04,080 --> 00:21:05,440 resilience to 608 00:21:05,440 --> 00:21:07,280 reasonably high traffic caching and 609 00:21:07,280 --> 00:21:08,880 micro caching i'm happy to talk about 610 00:21:08,880 --> 00:21:10,559 this with with whoever wants to talk 611 00:21:10,559 --> 00:21:12,559 about this after the after the talk 612 00:21:12,559 --> 00:21:14,720 because that's a whole separate ball of 613 00:21:14,720 --> 00:21:16,960 hairy things um 614 00:21:16,960 --> 00:21:19,200 and and that's something i see in a lot 615 00:21:19,200 --> 00:21:21,039 of websites that they us like they 616 00:21:21,039 --> 00:21:22,960 configure their whatever wordpress or or 617 00:21:22,960 --> 00:21:25,360 whatever cms they're running 618 00:21:25,360 --> 00:21:27,120 they hard code the domain 619 00:21:27,120 --> 00:21:29,600 right which means if you're a small news 620 00:21:29,600 --> 00:21:31,679 organization somewhere in caucasus or or 621 00:21:31,679 --> 00:21:32,400 or 622 00:21:32,400 --> 00:21:34,640 or the balkans and you get blocked for 623 00:21:34,640 --> 00:21:36,400 whatever reason 624 00:21:36,400 --> 00:21:37,919 usually the easiest thing that comes to 625 00:21:37,919 --> 00:21:39,600 your mind is oh we can just get a new 626 00:21:39,600 --> 00:21:41,120 domain and 627 00:21:41,120 --> 00:21:43,200 put our website on that domain right 628 00:21:43,200 --> 00:21:44,400 send this to our 629 00:21:44,400 --> 00:21:47,760 users oh we cannot because the cms 630 00:21:47,760 --> 00:21:49,760 enforces the old domain 631 00:21:49,760 --> 00:21:51,840 and now you have a bigger problem right 632 00:21:51,840 --> 00:21:54,000 so thinking about this this is something 633 00:21:54,000 --> 00:21:55,840 that i haven't noticed that many people 634 00:21:55,840 --> 00:21:58,000 think about thinking about this when you 635 00:21:58,000 --> 00:21:59,600 set up the website 636 00:21:59,600 --> 00:22:01,200 is really important and just say you 637 00:22:01,200 --> 00:22:02,720 know what i don't need to have the 638 00:22:02,720 --> 00:22:04,720 domain hard-coded i don't i really 639 00:22:04,720 --> 00:22:06,559 relative links are fine 640 00:22:06,559 --> 00:22:08,080 right and that also means that if you 641 00:22:08,080 --> 00:22:09,919 move to a different domain your website 642 00:22:09,919 --> 00:22:11,760 will still work right which 643 00:22:11,760 --> 00:22:13,840 yay 644 00:22:13,840 --> 00:22:15,919 okay uh so 645 00:22:15,919 --> 00:22:18,480 let's get to the interesting things when 646 00:22:18,480 --> 00:22:20,720 the site goes down right we have a we 647 00:22:20,720 --> 00:22:22,559 have you have a news website the the 648 00:22:22,559 --> 00:22:24,799 website goes down let's say it's blocked 649 00:22:24,799 --> 00:22:25,840 because 650 00:22:25,840 --> 00:22:28,159 something 651 00:22:28,159 --> 00:22:29,600 and 652 00:22:29,600 --> 00:22:31,120 when this happens you are you have a 653 00:22:31,120 --> 00:22:32,559 chicken and egg problem right let's say 654 00:22:32,559 --> 00:22:34,159 you set up a separate domain your 655 00:22:34,159 --> 00:22:36,559 website was you know sane 656 00:22:36,559 --> 00:22:38,080 it works on the separate domain how do 657 00:22:38,080 --> 00:22:39,919 you put this information out to the 658 00:22:39,919 --> 00:22:42,559 users right the best way to inform your 659 00:22:42,559 --> 00:22:44,559 visitors that there's a new domain would 660 00:22:44,559 --> 00:22:47,280 be to use your website but your website 661 00:22:47,280 --> 00:22:48,400 is down 662 00:22:48,400 --> 00:22:49,840 it's kind of 663 00:22:49,840 --> 00:22:52,000 difficult right so you can use social 664 00:22:52,000 --> 00:22:54,559 media you can use all those things but 665 00:22:54,559 --> 00:22:56,720 for a lot of users the default place 666 00:22:56,720 --> 00:22:58,320 that they visit to get information from 667 00:22:58,320 --> 00:22:59,600 your website or about your website is 668 00:22:59,600 --> 00:23:01,280 your website so 669 00:23:01,280 --> 00:23:02,640 chicken and egg 670 00:23:02,640 --> 00:23:05,760 but we can try to fix this with service 671 00:23:05,760 --> 00:23:07,679 workers anyone is familiar with service 672 00:23:07,679 --> 00:23:09,280 workers 673 00:23:09,280 --> 00:23:11,280 okay so service workers 674 00:23:11,280 --> 00:23:15,760 uh are this uh is this web api that is 675 00:23:15,760 --> 00:23:18,000 relatively new i would say five years 676 00:23:18,000 --> 00:23:20,240 ish maybe in in 677 00:23:20,240 --> 00:23:21,679 production state 678 00:23:21,679 --> 00:23:24,799 and the idea is a website 679 00:23:24,799 --> 00:23:26,720 uh sends a piece of code and tells the 680 00:23:26,720 --> 00:23:28,159 browser when the visitor visits the 681 00:23:28,159 --> 00:23:31,039 website hey from this point on this bit 682 00:23:31,039 --> 00:23:32,000 of code 683 00:23:32,000 --> 00:23:34,159 handles all of the requests that are 684 00:23:34,159 --> 00:23:36,000 done in the context of this website all 685 00:23:36,000 --> 00:23:38,159 of them right so all of the requests to 686 00:23:38,159 --> 00:23:40,159 the domain and all of the requests that 687 00:23:40,159 --> 00:23:42,960 in that originate from the loaded page 688 00:23:42,960 --> 00:23:45,440 to any domain right 689 00:23:45,440 --> 00:23:48,080 and this piece of code gets cached 690 00:23:48,080 --> 00:23:49,840 and this piece of code the browser then 691 00:23:49,840 --> 00:23:50,960 remembers 692 00:23:50,960 --> 00:23:52,960 uh such that even if you close all the 693 00:23:52,960 --> 00:23:56,240 tabs close the browser all of this 694 00:23:56,240 --> 00:23:57,679 you 695 00:23:57,679 --> 00:24:00,000 three weeks later you visit the site and 696 00:24:00,000 --> 00:24:01,520 what happens is that this code is 697 00:24:01,520 --> 00:24:03,440 brought up from the cache 698 00:24:03,440 --> 00:24:05,840 handles your requests right what this 699 00:24:05,840 --> 00:24:07,600 means is we can do 700 00:24:07,600 --> 00:24:10,400 reasonably um interesting things because 701 00:24:10,400 --> 00:24:11,919 yeah as i said once registered the 702 00:24:11,919 --> 00:24:13,360 service worker kicks in the moment a 703 00:24:13,360 --> 00:24:14,880 request is fired including before the 704 00:24:14,880 --> 00:24:16,960 website is loaded as long as the service 705 00:24:16,960 --> 00:24:19,039 worker had been loaded before right so 706 00:24:19,039 --> 00:24:20,799 for anyone who had visited your site 707 00:24:20,799 --> 00:24:21,840 once 708 00:24:21,840 --> 00:24:23,600 this code is there it's already cached 709 00:24:23,600 --> 00:24:24,799 it's going to run it's going to be there 710 00:24:24,799 --> 00:24:27,760 for for a month or longer um and it will 711 00:24:27,760 --> 00:24:30,000 handle all the requests right so this 712 00:24:30,000 --> 00:24:31,600 allows us to you know obviously cache 713 00:24:31,600 --> 00:24:33,840 the content in browser just say you know 714 00:24:33,840 --> 00:24:36,320 if you pull this content cache it and 715 00:24:36,320 --> 00:24:37,919 the next time the user loads this page 716 00:24:37,919 --> 00:24:40,000 if the page is not working just show the 717 00:24:40,000 --> 00:24:42,400 cached content but that's boring right 718 00:24:42,400 --> 00:24:43,840 there plenty of people are doing that 719 00:24:43,840 --> 00:24:45,600 already and that's kind of boring but 720 00:24:45,600 --> 00:24:48,480 you can do what you can also do 721 00:24:48,480 --> 00:24:50,720 uh is 722 00:24:50,720 --> 00:24:52,960 you can pull the content from anywhere 723 00:24:52,960 --> 00:24:54,000 else 724 00:24:54,000 --> 00:24:56,080 this is your code you can just do fetch 725 00:24:56,080 --> 00:24:58,159 requests anywhere else you can do 726 00:24:58,159 --> 00:25:00,480 alternative endpoints meaning 727 00:25:00,480 --> 00:25:02,640 your website is down a returning visitor 728 00:25:02,640 --> 00:25:05,120 comes to your website right 729 00:25:05,120 --> 00:25:07,600 service worker gets gets spun up and the 730 00:25:07,600 --> 00:25:09,200 service worker says 731 00:25:09,200 --> 00:25:10,000 uh 732 00:25:10,000 --> 00:25:11,679 hold on the website is not is not 733 00:25:11,679 --> 00:25:13,520 responding but i know that i can get 734 00:25:13,520 --> 00:25:15,520 this content also from these 735 00:25:15,520 --> 00:25:17,200 secondary domains so i'm just going to 736 00:25:17,200 --> 00:25:18,799 pull this content from secondary domains 737 00:25:18,799 --> 00:25:21,120 boom from the perspective of the user 738 00:25:21,120 --> 00:25:23,039 the website just works it's maybe a 739 00:25:23,039 --> 00:25:24,240 little bit slower because it has to 740 00:25:24,240 --> 00:25:26,159 first figure out that the fetch request 741 00:25:26,159 --> 00:25:28,480 to the original website doesn't work but 742 00:25:28,480 --> 00:25:31,520 like okay half a second longer oh no 743 00:25:31,520 --> 00:25:32,799 right 744 00:25:32,799 --> 00:25:35,919 uh so this is this is uh what i would 745 00:25:35,919 --> 00:25:37,440 have been working as a project called 746 00:25:37,440 --> 00:25:39,679 lib resilient and maybe you can even see 747 00:25:39,679 --> 00:25:43,360 the url there resilience.is 748 00:25:43,360 --> 00:25:44,320 and 749 00:25:44,320 --> 00:25:46,559 what it does is it it implements all of 750 00:25:46,559 --> 00:25:48,080 the above right it implements the 751 00:25:48,080 --> 00:25:49,600 service work it implements the plugins 752 00:25:49,600 --> 00:25:51,360 for you know caching and pulling content 753 00:25:51,360 --> 00:25:53,679 from random places 754 00:25:53,679 --> 00:25:54,480 and 755 00:25:54,480 --> 00:25:56,000 it has a configurable order of 756 00:25:56,000 --> 00:25:58,559 operations uh which means we can do 757 00:25:58,559 --> 00:26:01,679 something like this right we can say hey 758 00:26:01,679 --> 00:26:04,240 once when you get a request for content 759 00:26:04,240 --> 00:26:06,400 related to this website and coming from 760 00:26:06,400 --> 00:26:09,039 the domain of this website please first 761 00:26:09,039 --> 00:26:11,360 fetch to the from the original domain 762 00:26:11,360 --> 00:26:13,200 right if that works great just cache 763 00:26:13,200 --> 00:26:15,120 that content provide it to the user 764 00:26:15,120 --> 00:26:17,520 we're done but if the if the fetch 765 00:26:17,520 --> 00:26:18,799 doesn't work because the let's say the 766 00:26:18,799 --> 00:26:20,400 backend domain the original domain is 767 00:26:20,400 --> 00:26:22,640 down okay do we have it in cache maybe 768 00:26:22,640 --> 00:26:25,679 we do great maybe we don't what do we do 769 00:26:25,679 --> 00:26:27,679 we do we go to alternative end points 770 00:26:27,679 --> 00:26:29,840 right we we say hey 771 00:26:29,840 --> 00:26:31,679 okay fetch didn't work we didn't have a 772 00:26:31,679 --> 00:26:32,640 cache 773 00:26:32,640 --> 00:26:34,159 but i know that this content should be 774 00:26:34,159 --> 00:26:35,520 available in these five different 775 00:26:35,520 --> 00:26:37,279 endpoints so i'm going to just pull it 776 00:26:37,279 --> 00:26:39,520 uh plum it from pub pilot from there 777 00:26:39,520 --> 00:26:42,559 right and whichever succeeds first 778 00:26:42,559 --> 00:26:44,640 the first successful remote fetch gets 779 00:26:44,640 --> 00:26:47,200 cached and boom the user now has access 780 00:26:47,200 --> 00:26:48,080 to this 781 00:26:48,080 --> 00:26:50,880 uh content and again it just works the 782 00:26:50,880 --> 00:26:52,880 the the visitor has no clue what was 783 00:26:52,880 --> 00:26:54,000 happening 784 00:26:54,000 --> 00:26:55,679 behind the scenes 785 00:26:55,679 --> 00:26:57,840 and for example just just to throw it 786 00:26:57,840 --> 00:26:59,760 out there possible alternative end 787 00:26:59,760 --> 00:27:01,440 points you know way back machine right 788 00:27:01,440 --> 00:27:03,200 if you if your website is on wayback 789 00:27:03,200 --> 00:27:05,279 machine boom you have a alternative 790 00:27:05,279 --> 00:27:06,720 endpoint for free 791 00:27:06,720 --> 00:27:07,840 you can literally just fetch your 792 00:27:07,840 --> 00:27:10,480 content from wayback machine great right 793 00:27:10,480 --> 00:27:12,240 you can have 794 00:27:12,240 --> 00:27:14,159 public folders on on major cloud 795 00:27:14,159 --> 00:27:16,240 services they will hate you for this you 796 00:27:16,240 --> 00:27:18,000 know one little trick to make cloud 797 00:27:18,000 --> 00:27:19,520 services hate you 798 00:27:19,520 --> 00:27:21,440 but it would work right you just fetch 799 00:27:21,440 --> 00:27:22,880 from the public 800 00:27:22,880 --> 00:27:24,159 public folder 801 00:27:24,159 --> 00:27:26,240 uh and the user just 802 00:27:26,240 --> 00:27:28,159 doesn't even have to think about this i 803 00:27:28,159 --> 00:27:29,760 this is not my favorite way of doing 804 00:27:29,760 --> 00:27:32,240 this but it is possible and of course 805 00:27:32,240 --> 00:27:34,880 any https host uh you can push content 806 00:27:34,880 --> 00:27:37,120 to really right so for example you could 807 00:27:37,120 --> 00:27:39,679 push content to ipfs and fetch it from 808 00:27:39,679 --> 00:27:41,760 ipss gateways 809 00:27:41,760 --> 00:27:43,440 right boom 810 00:27:43,440 --> 00:27:45,200 again you can rely on on infrastructure 811 00:27:45,200 --> 00:27:47,039 of ipfs 812 00:27:47,039 --> 00:27:50,000 to uh to fetch your content right 813 00:27:50,000 --> 00:27:52,399 okay uh so 814 00:27:52,399 --> 00:27:54,639 uh 815 00:27:54,960 --> 00:27:56,559 multiple alternative endpoints can be 816 00:27:56,559 --> 00:27:58,880 configured at the same time right so you 817 00:27:58,880 --> 00:28:00,880 can have a configuration that says look 818 00:28:00,880 --> 00:28:03,279 if the original domain is down you can 819 00:28:03,279 --> 00:28:05,279 fetch it from here here here here or 820 00:28:05,279 --> 00:28:08,240 here right and then a random every every 821 00:28:08,240 --> 00:28:10,159 uh every request a random alternative 822 00:28:10,159 --> 00:28:12,320 endpoint is is selected to pull content 823 00:28:12,320 --> 00:28:13,919 from and several can be used 824 00:28:13,919 --> 00:28:15,520 simultaneously so you can have an and 825 00:28:15,520 --> 00:28:17,679 out of m situation of saying like i have 826 00:28:17,679 --> 00:28:20,559 five configured try two of them randomly 827 00:28:20,559 --> 00:28:22,320 just in case one of them will be down 828 00:28:22,320 --> 00:28:24,240 right so you're uh you're making more 829 00:28:24,240 --> 00:28:26,880 requests but you're also maximizing the 830 00:28:26,880 --> 00:28:28,559 chance that even if one of the alternate 831 00:28:28,559 --> 00:28:30,480 event points is down the user will still 832 00:28:30,480 --> 00:28:33,279 get uh get the content 833 00:28:33,279 --> 00:28:34,640 this is probably the question that you 834 00:28:34,640 --> 00:28:36,399 have in your heads right now uh what 835 00:28:36,399 --> 00:28:38,320 about like okay but those end points 836 00:28:38,320 --> 00:28:40,320 have access to your content they can 837 00:28:40,320 --> 00:28:42,240 modify this content they can be 838 00:28:42,240 --> 00:28:43,919 malicious right oh no what do we do 839 00:28:43,919 --> 00:28:46,559 about this uh sub resource integrity to 840 00:28:46,559 --> 00:28:48,240 the rescue anyone here is familiar with 841 00:28:48,240 --> 00:28:50,000 subresource integrity 842 00:28:50,000 --> 00:28:52,240 okay so what subresource integrity does 843 00:28:52,240 --> 00:28:54,720 is uh you have some kind of a resource 844 00:28:54,720 --> 00:28:56,480 let's say a script that you're pulling 845 00:28:56,480 --> 00:28:58,480 from let's say fastly because that's 846 00:28:58,480 --> 00:29:00,159 what was made for it was made for those 847 00:29:00,159 --> 00:29:01,679 large cdn's 848 00:29:01,679 --> 00:29:03,120 and 849 00:29:03,120 --> 00:29:05,440 the you you you use the link but you 850 00:29:05,440 --> 00:29:08,799 also add the in the integrity hash so in 851 00:29:08,799 --> 00:29:11,760 html is just like you know uh script you 852 00:29:11,760 --> 00:29:13,440 know uh 853 00:29:13,440 --> 00:29:16,080 ref uh blah blah blah and then integrity 854 00:29:16,080 --> 00:29:18,240 equals there's a hash and the browser 855 00:29:18,240 --> 00:29:20,159 what the browser does is it pulls the 856 00:29:20,159 --> 00:29:22,880 content verifies the hash 857 00:29:22,880 --> 00:29:24,880 before giving the content back to the to 858 00:29:24,880 --> 00:29:26,480 the client side 859 00:29:26,480 --> 00:29:28,399 right uh which means if you have the 860 00:29:28,399 --> 00:29:30,240 hash of all the content 861 00:29:30,240 --> 00:29:32,559 uh you don't have to care because if 862 00:29:32,559 --> 00:29:34,320 somebody is maliciously modifying the 863 00:29:34,320 --> 00:29:36,240 the stuff on the alternative endpoints 864 00:29:36,240 --> 00:29:37,679 your browser will just say nope sorry 865 00:29:37,679 --> 00:29:41,120 the hash doesn't match uh bye-bye right 866 00:29:41,120 --> 00:29:42,880 but this again 867 00:29:42,880 --> 00:29:45,760 so but in html we can only set integrity 868 00:29:45,760 --> 00:29:47,840 attributes on script and link elements 869 00:29:47,840 --> 00:29:50,080 thankfully uh in javascript we can set 870 00:29:50,080 --> 00:29:52,880 integrity hashes on any request and 871 00:29:52,880 --> 00:29:55,360 because uh because we're doing this in 872 00:29:55,360 --> 00:29:56,720 in javascript because it's a service 873 00:29:56,720 --> 00:29:58,559 worker blah blah blah all of this we can 874 00:29:58,559 --> 00:30:00,960 set integrity hashes on every request so 875 00:30:00,960 --> 00:30:02,640 i tested this with video i tested this 876 00:30:02,640 --> 00:30:04,159 with images i tested this with all sorts 877 00:30:04,159 --> 00:30:06,080 of content and the browser just happily 878 00:30:06,080 --> 00:30:08,399 says okay i'm pulling some content 879 00:30:08,399 --> 00:30:10,240 hash match is great here you are or hash 880 00:30:10,240 --> 00:30:13,840 doesn't matter well screw off right 881 00:30:14,000 --> 00:30:15,600 and yes there's a there's already a 882 00:30:15,600 --> 00:30:17,760 plugin for this in in in liv resilience 883 00:30:17,760 --> 00:30:20,000 so that that's already implemented but 884 00:30:20,000 --> 00:30:21,200 then 885 00:30:21,200 --> 00:30:23,120 that's not that easy right but then how 886 00:30:23,120 --> 00:30:24,799 can you distribute integrity hashes 887 00:30:24,799 --> 00:30:26,559 safely without having to trust 888 00:30:26,559 --> 00:30:28,799 alternative endpoint operators right 889 00:30:28,799 --> 00:30:30,720 because you have the the the service 890 00:30:30,720 --> 00:30:32,960 worker has to get those hashes somehow 891 00:30:32,960 --> 00:30:34,880 it can either have them pre-configured 892 00:30:34,880 --> 00:30:36,159 which is boring because now you cannot 893 00:30:36,159 --> 00:30:38,880 push new content or it can have you can 894 00:30:38,880 --> 00:30:40,000 pull them for example from those 895 00:30:40,000 --> 00:30:41,760 alternative endpoints but we don't trust 896 00:30:41,760 --> 00:30:43,279 those alternative endpoints that is the 897 00:30:43,279 --> 00:30:45,440 whole point of distributing those hashes 898 00:30:45,440 --> 00:30:48,159 what do we do what do we do asymmetric 899 00:30:48,159 --> 00:30:51,440 crypto um right we can 900 00:30:51,440 --> 00:30:53,679 another plugin already implemented 901 00:30:53,679 --> 00:30:56,000 verifying uh fetched content using 902 00:30:56,000 --> 00:30:57,919 signed integrity data right so what 903 00:30:57,919 --> 00:30:59,279 happens is 904 00:30:59,279 --> 00:31:01,039 initial setup of your website you 905 00:31:01,039 --> 00:31:03,200 generate private and public key pair on 906 00:31:03,200 --> 00:31:05,200 your server side 907 00:31:05,200 --> 00:31:07,360 you configure the public the public key 908 00:31:07,360 --> 00:31:09,519 in live resilience config and you use 909 00:31:09,519 --> 00:31:11,919 the signed integrity plugin and the sign 910 00:31:11,919 --> 00:31:14,159 integrity plugin during publishing what 911 00:31:14,159 --> 00:31:16,159 you do is you publish you generate the 912 00:31:16,159 --> 00:31:17,840 integrity hash of every piece of content 913 00:31:17,840 --> 00:31:19,840 image whatever you're publishing 914 00:31:19,840 --> 00:31:22,720 you put it in a java web token 915 00:31:22,720 --> 00:31:24,960 magic magic magic uh 916 00:31:24,960 --> 00:31:26,480 signed with the private key generated 917 00:31:26,480 --> 00:31:29,600 before and you put the jwt 918 00:31:29,600 --> 00:31:31,600 in a file available under whatever the 919 00:31:31,600 --> 00:31:34,399 uri of the original content is dot 920 00:31:34,399 --> 00:31:36,960 integrity right and this is what this is 921 00:31:36,960 --> 00:31:38,640 what this plugin expects when it's 922 00:31:38,640 --> 00:31:40,000 working in the service worker on the 923 00:31:40,000 --> 00:31:41,360 client side 924 00:31:41,360 --> 00:31:43,200 when it's fetching content let's say 925 00:31:43,200 --> 00:31:44,519 it's fetching 926 00:31:44,519 --> 00:31:47,120 favicon.ico right what it will do first 927 00:31:47,120 --> 00:31:49,120 it will fetch favicon dot ico dot 928 00:31:49,120 --> 00:31:51,279 integrity verify the signature get the 929 00:31:51,279 --> 00:31:52,720 hash out of it 930 00:31:52,720 --> 00:31:55,039 verify pull the pull the five icon dot 931 00:31:55,039 --> 00:31:58,559 ico verify the hash boom uh it works or 932 00:31:58,559 --> 00:32:00,640 or it doesn't work right so what this 933 00:32:00,640 --> 00:32:02,799 means is we have a we can have content 934 00:32:02,799 --> 00:32:04,720 delivery even or with the original 935 00:32:04,720 --> 00:32:06,080 website is down thanks to service 936 00:32:06,080 --> 00:32:07,039 workers 937 00:32:07,039 --> 00:32:09,840 uh we can verify the fetched content uh 938 00:32:09,840 --> 00:32:11,760 has not been tampered with thanks thanks 939 00:32:11,760 --> 00:32:14,000 to suppressors integrity and the signed 940 00:32:14,000 --> 00:32:16,240 integrity plugin and it all works on 941 00:32:16,240 --> 00:32:17,919 regular browsers no special settings 942 00:32:17,919 --> 00:32:20,559 necessary if you are using any of the 943 00:32:20,559 --> 00:32:21,600 you know 944 00:32:21,600 --> 00:32:23,120 modern browsers 945 00:32:23,120 --> 00:32:25,039 all of this already works all the all 946 00:32:25,039 --> 00:32:27,679 the plumbing is already there right 947 00:32:27,679 --> 00:32:31,120 so what we can have exactly this imagine 948 00:32:31,120 --> 00:32:33,519 10 organizations that say okay we're 949 00:32:33,519 --> 00:32:35,039 going to deploy the brazilian on all our 950 00:32:35,039 --> 00:32:37,039 websites and we're going to serve as 951 00:32:37,039 --> 00:32:40,640 alternative endpoints for each other 952 00:32:40,640 --> 00:32:41,440 right 953 00:32:41,440 --> 00:32:44,240 you have a community cdn where no new 954 00:32:44,240 --> 00:32:45,760 infrastructure needs to be deployed the 955 00:32:45,760 --> 00:32:47,360 only cost is 956 00:32:47,360 --> 00:32:50,960 uh is a storage space right because each 957 00:32:50,960 --> 00:32:52,960 of those websites has to be mirrored on 958 00:32:52,960 --> 00:32:54,960 each of those the organization's 959 00:32:54,960 --> 00:32:56,640 infrastructures that's that's the only 960 00:32:56,640 --> 00:32:57,360 thing 961 00:32:57,360 --> 00:33:01,120 uh the the bandwidth costs kick in only 962 00:33:01,120 --> 00:33:02,880 uh when one of the websites is down 963 00:33:02,880 --> 00:33:05,039 right because with this config it's like 964 00:33:05,039 --> 00:33:06,480 does the website work it works here's 965 00:33:06,480 --> 00:33:08,080 your content if it doesn't work well 966 00:33:08,080 --> 00:33:10,080 alternative endpoints right other orgs 967 00:33:10,080 --> 00:33:12,000 infrastructures pooling right 968 00:33:12,000 --> 00:33:14,640 you don't have to trust them that much 969 00:33:14,640 --> 00:33:16,880 right because you can you you are 970 00:33:16,880 --> 00:33:17,840 pushing 971 00:33:17,840 --> 00:33:19,840 the content along with the integrity 972 00:33:19,840 --> 00:33:22,320 files so the service worker will verify 973 00:33:22,320 --> 00:33:24,240 this right so you don't even have to 974 00:33:24,240 --> 00:33:26,159 trust those organizations like 975 00:33:26,159 --> 00:33:28,159 to not modify your content you only have 976 00:33:28,159 --> 00:33:30,720 to trust them in the sense that uh they 977 00:33:30,720 --> 00:33:33,200 will not maliciously screw screw you up 978 00:33:33,200 --> 00:33:34,720 in the sense of like deleting content or 979 00:33:34,720 --> 00:33:36,320 anything like that but if it's a group 980 00:33:36,320 --> 00:33:38,399 of organizations doing similar things 981 00:33:38,399 --> 00:33:40,240 perhaps that's not an entirely 982 00:33:40,240 --> 00:33:42,399 unreasonable assumption 983 00:33:42,399 --> 00:33:44,080 and it is completely transparent for 984 00:33:44,080 --> 00:33:46,880 visitors right so everything i promised 985 00:33:46,880 --> 00:33:48,399 there you go on this black screen that 986 00:33:48,399 --> 00:33:50,720 has nothing on it 987 00:33:50,720 --> 00:33:53,039 so yeah a group of organizations running 988 00:33:53,039 --> 00:33:55,200 its own their own hosting infrastructure 989 00:33:55,200 --> 00:33:57,600 serving as alternative endpoints for for 990 00:33:57,600 --> 00:33:58,960 one another 991 00:33:58,960 --> 00:34:00,559 i think i have about five minutes right 992 00:34:00,559 --> 00:34:01,360 now 993 00:34:01,360 --> 00:34:04,240 so and i have i think three slides 994 00:34:04,240 --> 00:34:07,760 this is doable uh not mentioned here uh 995 00:34:07,760 --> 00:34:09,839 configuration changes during downtime 996 00:34:09,839 --> 00:34:11,918 right let's say your website is down and 997 00:34:11,918 --> 00:34:13,839 you decided ah you i have to change 998 00:34:13,839 --> 00:34:15,040 alternative endpoints some of those 999 00:34:15,040 --> 00:34:17,280 organizations also went down or now 1000 00:34:17,280 --> 00:34:19,599 don't want to don't want to deal with me 1001 00:34:19,599 --> 00:34:21,199 i set up new alternative endpoints what 1002 00:34:21,199 --> 00:34:23,119 do i do how do i tell the users who have 1003 00:34:23,119 --> 00:34:25,679 already loaded the service worker uh 1004 00:34:25,679 --> 00:34:28,639 that there are new alternative endpoints 1005 00:34:28,639 --> 00:34:31,040 well if at least one alternative 1006 00:34:31,040 --> 00:34:33,199 endpoint already configured works you 1007 00:34:33,199 --> 00:34:35,520 just push a config update 1008 00:34:35,520 --> 00:34:37,280 boom and this goes through the same 1009 00:34:37,280 --> 00:34:39,199 plumbing as any other request because 1010 00:34:39,199 --> 00:34:41,679 it's just config.json file so 1011 00:34:41,679 --> 00:34:44,399 config.json.config.json.integrity 1012 00:34:44,399 --> 00:34:46,320 boom any user who has 1013 00:34:46,320 --> 00:34:48,079 visited your website before has the 1014 00:34:48,079 --> 00:34:50,719 service worker loaded and 1015 00:34:50,719 --> 00:34:52,159 as long as at least one of the alternate 1016 00:34:52,159 --> 00:34:54,239 endpoints works already 1017 00:34:54,239 --> 00:34:57,440 pulls in the update uh and and boom has 1018 00:34:57,440 --> 00:34:59,040 access to the new alternative endpoints 1019 00:34:59,040 --> 00:35:02,720 or the new uh config 1020 00:35:02,720 --> 00:35:04,079 i have not talked about deployment and 1021 00:35:04,079 --> 00:35:06,480 publishing pipeline uh because that 1022 00:35:06,480 --> 00:35:08,480 depends very much on the setup of each 1023 00:35:08,480 --> 00:35:10,320 website if you're using a static site 1024 00:35:10,320 --> 00:35:11,760 there is going to be a bus script a make 1025 00:35:11,760 --> 00:35:14,240 file a gitlab ci cd pipeline or 1026 00:35:14,240 --> 00:35:15,520 something like that that pushes content 1027 00:35:15,520 --> 00:35:17,520 to your site well we can just add some 1028 00:35:17,520 --> 00:35:19,599 steps that pushes this content to ipfs 1029 00:35:19,599 --> 00:35:21,599 or your friendly organizations or your 1030 00:35:21,599 --> 00:35:24,480 whatever google drive and uh you know at 1031 00:35:24,480 --> 00:35:26,160 the same time and and calculates the 1032 00:35:26,160 --> 00:35:31,040 integrity files uh along along with that 1033 00:35:31,040 --> 00:35:34,480 there is a faq can you read the link 1034 00:35:34,480 --> 00:35:36,240 there there's going to be a more visible 1035 00:35:36,240 --> 00:35:37,200 link 1036 00:35:37,200 --> 00:35:38,880 at the end 1037 00:35:38,880 --> 00:35:40,640 current status of the resilient code 1038 00:35:40,640 --> 00:35:42,240 exists works and has 1039 00:35:42,240 --> 00:35:46,800 decent code code test coverage um uh all 1040 00:35:46,800 --> 00:35:48,960 of the plugins that uh that i was 1041 00:35:48,960 --> 00:35:52,160 talking about today have 90 or more uh 1042 00:35:52,160 --> 00:35:54,800 test coverage so uh yay 1043 00:35:54,800 --> 00:35:56,640 documentation largely exists but 1044 00:35:56,640 --> 00:35:58,640 definitely needs improvements 1045 00:35:58,640 --> 00:36:00,079 if somebody wants to read through this 1046 00:36:00,079 --> 00:36:01,839 and tell me oh no i don't understand how 1047 00:36:01,839 --> 00:36:04,160 this works this is weird then i'm very 1048 00:36:04,160 --> 00:36:06,400 happy to hear that and improve because 1049 00:36:06,400 --> 00:36:08,000 when i write this documentation i'm all 1050 00:36:08,000 --> 00:36:09,760 in my head i understand all of this i 1051 00:36:09,760 --> 00:36:10,960 don't know which things might be 1052 00:36:10,960 --> 00:36:13,839 completely weird or or surprising 1053 00:36:13,839 --> 00:36:15,359 this has not yet been deployed in 1054 00:36:15,359 --> 00:36:17,440 production on any large site but i have 1055 00:36:17,440 --> 00:36:19,599 i know that i know of two reasonably 1056 00:36:19,599 --> 00:36:21,680 large projects that are testing it and 1057 00:36:21,680 --> 00:36:24,640 might might deploy it at some point but 1058 00:36:24,640 --> 00:36:27,520 testing improvements ideas criticism all 1059 00:36:27,520 --> 00:36:29,839 of this is very welcome please you know 1060 00:36:29,839 --> 00:36:31,599 come at me 1061 00:36:31,599 --> 00:36:33,839 and the project got a small grant from 1062 00:36:33,839 --> 00:36:35,680 nlnet which i highly recommend those 1063 00:36:35,680 --> 00:36:37,760 guys are also at mch and you should find 1064 00:36:37,760 --> 00:36:39,200 them somewhere there 1065 00:36:39,200 --> 00:36:41,680 uh somewhere there sorry uh and they 1066 00:36:41,680 --> 00:36:43,440 have more money for interesting projects 1067 00:36:43,440 --> 00:36:45,599 so you also should you know try uh try 1068 00:36:45,599 --> 00:36:47,520 uh try uh with your project if you have 1069 00:36:47,520 --> 00:36:48,560 a project 1070 00:36:48,560 --> 00:36:51,280 possible next steps uh wordpress plugin 1071 00:36:51,280 --> 00:36:53,040 because why would wordpress not why 1072 00:36:53,040 --> 00:36:55,599 should wordpress not be able to uh to 1073 00:36:55,599 --> 00:36:56,560 push 1074 00:36:56,560 --> 00:36:58,079 stuff you know along with integrity 1075 00:36:58,079 --> 00:37:00,320 files and all of this to some places uh 1076 00:37:00,320 --> 00:37:02,960 that makes sense uh reverse proxies can 1077 00:37:02,960 --> 00:37:04,560 be alternative endpoints i haven't used 1078 00:37:04,560 --> 00:37:06,560 them i prefer the static approach i 1079 00:37:06,560 --> 00:37:09,040 prefer the approach of here's content 1080 00:37:09,040 --> 00:37:12,160 files because this decouples the 1081 00:37:12,160 --> 00:37:13,920 alternative endpoints from your backend 1082 00:37:13,920 --> 00:37:15,760 server uh meaning if you're using 1083 00:37:15,760 --> 00:37:17,280 reverse proxies if your backend server 1084 00:37:17,280 --> 00:37:18,960 is down your reverse proxies are 1085 00:37:18,960 --> 00:37:20,400 probably also done or unless they do 1086 00:37:20,400 --> 00:37:22,800 some interesting caching right but this 1087 00:37:22,800 --> 00:37:25,760 is totally doable and totally crazy 1088 00:37:25,760 --> 00:37:28,079 ideas and this is almost the last slide 1089 00:37:28,079 --> 00:37:31,119 uh why not use ipns and ipfs as content 1090 00:37:31,119 --> 00:37:32,720 transfer directly in the browser well 1091 00:37:32,720 --> 00:37:34,800 there's a bug with ipns and i could i 1092 00:37:34,800 --> 00:37:36,720 could rant about this over beer uh 1093 00:37:36,720 --> 00:37:38,000 because it hasn't been fixed for three 1094 00:37:38,000 --> 00:37:40,160 years uh but once they fix this bug we 1095 00:37:40,160 --> 00:37:42,240 might be able to just use ipns ipfs 1096 00:37:42,240 --> 00:37:44,720 directly without hitting uh 1097 00:37:44,720 --> 00:37:46,400 ipfs gateways as 1098 00:37:46,400 --> 00:37:48,640 alternate event points 1099 00:37:48,640 --> 00:37:51,119 we could use i want to test web torrent 1100 00:37:51,119 --> 00:37:53,280 as content the content transport again 1101 00:37:53,280 --> 00:37:54,640 not alternative endpoints just a 1102 00:37:54,640 --> 00:37:56,640 completely alternative transport uh 1103 00:37:56,640 --> 00:37:59,040 plugin that just pulls stuff from from 1104 00:37:59,040 --> 00:38:01,119 the cloud 1105 00:38:01,119 --> 00:38:03,920 and merge requests are welcome and other 1106 00:38:03,920 --> 00:38:06,079 non-standard decentralized weird uh 1107 00:38:06,079 --> 00:38:08,160 fascinating transport plugins i'm all 1108 00:38:08,160 --> 00:38:09,440 ears if anybody wants to talk to me 1109 00:38:09,440 --> 00:38:11,200 about this and and figure out things to 1110 00:38:11,200 --> 00:38:13,040 do together and the website is 1111 00:38:13,040 --> 00:38:15,280 resilient.is there's a blog there's 1112 00:38:15,280 --> 00:38:17,520 documentation there's code it's very 1113 00:38:17,520 --> 00:38:22,240 simple website uh thank you questions 1114 00:38:22,320 --> 00:38:23,900 woof i made it wow 1115 00:38:23,900 --> 00:38:30,249 [Applause] 1116 00:38:30,400 --> 00:38:33,359 you still had 1117 00:38:33,359 --> 00:38:36,079 you still had you still had one minute 1118 00:38:36,079 --> 00:38:38,560 awesome oh i'm sorry 1119 00:38:38,560 --> 00:38:40,560 i could have spoken that tiny bit slower 1120 00:38:40,560 --> 00:38:42,880 then yes 1121 00:38:42,880 --> 00:38:44,480 but understandable all right we have 1122 00:38:44,480 --> 00:38:47,280 questions microphone in the front please 1123 00:38:47,280 --> 00:38:49,839 um any ideas about first-time visitors 1124 00:38:49,839 --> 00:38:51,119 like how to solve this problem for 1125 00:38:51,119 --> 00:38:53,839 first-time visitors no 1126 00:38:53,839 --> 00:38:55,119 no but 1127 00:38:55,119 --> 00:38:56,560 again from my experience of running 1128 00:38:56,560 --> 00:38:58,640 these kinds of websites 1129 00:38:58,640 --> 00:39:00,880 most of the visitors are first time are 1130 00:39:00,880 --> 00:39:03,920 are returning visitors usually right and 1131 00:39:03,920 --> 00:39:05,440 uh and so i 1132 00:39:05,440 --> 00:39:07,680 i found a way to solve this problem i 1133 00:39:07,680 --> 00:39:09,119 haven't found the way of solving the the 1134 00:39:09,119 --> 00:39:10,800 first visitors problem because you have 1135 00:39:10,800 --> 00:39:13,280 to load this code somehow right uh i 1136 00:39:13,280 --> 00:39:17,119 would love to to have a way of um okay 1137 00:39:17,119 --> 00:39:18,400 so let's say you have a static website 1138 00:39:18,400 --> 00:39:19,839 let's say you have static website with 1139 00:39:19,839 --> 00:39:21,680 relative links that means you can just 1140 00:39:21,680 --> 00:39:23,040 zip it 1141 00:39:23,040 --> 00:39:24,960 you can literally just distribute 1142 00:39:24,960 --> 00:39:27,680 zips on on on uh thumb drives on the 1143 00:39:27,680 --> 00:39:29,760 sneaker net right i would love to have a 1144 00:39:29,760 --> 00:39:32,240 way of distributing this code with the 1145 00:39:32,240 --> 00:39:34,000 zip and saying hey if you're if you're 1146 00:39:34,000 --> 00:39:36,160 if you receive this zip to the zip file 1147 00:39:36,160 --> 00:39:38,160 to 1148 00:39:38,160 --> 00:39:40,560 experience this website click this and 1149 00:39:40,560 --> 00:39:42,800 now you can go online and it will just 1150 00:39:42,800 --> 00:39:44,560 pull stuff but that's not how this works 1151 00:39:44,560 --> 00:39:46,320 unfortunately service workers can only 1152 00:39:46,320 --> 00:39:48,560 be installed either from localhost or 1153 00:39:48,560 --> 00:39:51,760 from https endpoints and and so if i 1154 00:39:51,760 --> 00:39:53,119 find a way to 1155 00:39:53,119 --> 00:39:55,520 you know go around this uh such that i 1156 00:39:55,520 --> 00:39:58,160 can install a service worker in a user's 1157 00:39:58,160 --> 00:40:00,320 browser from a zip file then 1158 00:40:00,320 --> 00:40:02,480 awesome right but yeah that's that's a 1159 00:40:02,480 --> 00:40:05,680 very very valid question 1160 00:40:05,839 --> 00:40:08,560 so this will also break if we finally 1161 00:40:08,560 --> 00:40:12,160 teach people to clear the browser 1162 00:40:12,160 --> 00:40:14,640 and browser profiles i think we don't 1163 00:40:14,640 --> 00:40:16,079 have to worry about that i don't think 1164 00:40:16,079 --> 00:40:17,359 they will ever learn 1165 00:40:17,359 --> 00:40:20,319 but yes uh this is this also used to not 1166 00:40:20,319 --> 00:40:22,800 work in firefox private mode uh or 1167 00:40:22,800 --> 00:40:24,240 incognito mode or whatever they call it 1168 00:40:24,240 --> 00:40:25,520 this week 1169 00:40:25,520 --> 00:40:26,720 but 1170 00:40:26,720 --> 00:40:29,280 but uh i think they they enabled it 1171 00:40:29,280 --> 00:40:31,119 right so yes there will be browsers and 1172 00:40:31,119 --> 00:40:33,599 there will be configurations uh where 1173 00:40:33,599 --> 00:40:36,079 this will not work for users 1174 00:40:36,079 --> 00:40:38,000 i usually use my most of my browsers 1175 00:40:38,000 --> 00:40:39,760 with javascript completely disabled so 1176 00:40:39,760 --> 00:40:41,359 that would not work for me but also 1177 00:40:41,359 --> 00:40:43,359 people who have javascript mostly 1178 00:40:43,359 --> 00:40:45,760 disabled also probably have tor so yes 1179 00:40:45,760 --> 00:40:47,520 onion tour sites on your like hidden 1180 00:40:47,520 --> 00:40:48,960 services please 1181 00:40:48,960 --> 00:40:51,040 yes 1182 00:40:51,040 --> 00:40:53,280 first thanks for the talks 1183 00:40:53,280 --> 00:40:56,160 and i didn't get one things the idea is 1184 00:40:56,160 --> 00:40:56,880 that 1185 00:40:56,880 --> 00:40:58,880 a group of organizations 1186 00:40:58,880 --> 00:41:01,359 uh stay together and install and 1187 00:41:01,359 --> 00:41:03,920 configure libra resilient 1188 00:41:03,920 --> 00:41:08,480 to uh and so to have kind of many island 1189 00:41:08,480 --> 00:41:09,680 where 1190 00:41:09,680 --> 00:41:12,160 many different group organizations can 1191 00:41:12,160 --> 00:41:13,599 pick up each other 1192 00:41:13,599 --> 00:41:15,599 so yes so each website let's say you 1193 00:41:15,599 --> 00:41:18,560 have 10 websites right each website has 1194 00:41:18,560 --> 00:41:20,560 live resilient configured and has okay 1195 00:41:20,560 --> 00:41:22,880 this is my main site but all of the 1196 00:41:22,880 --> 00:41:24,400 other uh 1197 00:41:24,400 --> 00:41:25,599 website like 1198 00:41:25,599 --> 00:41:26,720 infrastructure of all the other 1199 00:41:26,720 --> 00:41:28,560 organizations clear yeah 1200 00:41:28,560 --> 00:41:30,960 the question is uh do the organization 1201 00:41:30,960 --> 00:41:32,640 have to find each other 1202 00:41:32,640 --> 00:41:36,319 uh somewhere i mean if i want to 1203 00:41:36,319 --> 00:41:37,200 install 1204 00:41:37,200 --> 00:41:39,520 libre resilient how can i find some 1205 00:41:39,520 --> 00:41:41,599 other organization that want to rare 1206 00:41:41,599 --> 00:41:45,359 with me so that's that's uh 1207 00:41:45,359 --> 00:41:46,160 so 1208 00:41:46,160 --> 00:41:49,040 live resilient itself uh is just install 1209 00:41:49,040 --> 00:41:52,480 it on your uh on your website and you 1210 00:41:52,480 --> 00:41:53,520 have to figure out where your 1211 00:41:53,520 --> 00:41:55,200 alternative endpoints are and where 1212 00:41:55,200 --> 00:41:56,720 you're pushing your code and all of this 1213 00:41:56,720 --> 00:41:58,880 right this is up to the website admin to 1214 00:41:58,880 --> 00:42:01,839 figure out what they can rely on as far 1215 00:42:01,839 --> 00:42:03,040 as the alternative endpoints are 1216 00:42:03,040 --> 00:42:04,640 concerned right 1217 00:42:04,640 --> 00:42:07,920 but what i what i realized after i wrote 1218 00:42:07,920 --> 00:42:10,560 most of this this code is okay but if we 1219 00:42:10,560 --> 00:42:12,480 have a group of organizations they can 1220 00:42:12,480 --> 00:42:14,319 rely on each other right they can they 1221 00:42:14,319 --> 00:42:16,319 can pull their resources together using 1222 00:42:16,319 --> 00:42:18,640 live resilient in a way that i don't 1223 00:42:18,640 --> 00:42:20,319 think was possible before or i have not 1224 00:42:20,319 --> 00:42:21,119 seen 1225 00:42:21,119 --> 00:42:22,800 this kind of this kind of resource 1226 00:42:22,800 --> 00:42:24,880 pooling which does not require either a 1227 00:42:24,880 --> 00:42:28,079 separate entity or or some kind of tls 1228 00:42:28,079 --> 00:42:31,040 private keys sharing situation or or 1229 00:42:31,040 --> 00:42:32,880 anything like that right so that's 1230 00:42:32,880 --> 00:42:34,560 that's the i think the the innovative 1231 00:42:34,560 --> 00:42:36,640 part of of the talk right but yes for 1232 00:42:36,640 --> 00:42:38,480 for lip resilient itself you just have 1233 00:42:38,480 --> 00:42:40,079 to figure out your alternate points 1234 00:42:40,079 --> 00:42:43,079 yourself 1235 00:42:44,079 --> 00:42:46,800 i'm going to be a bit anti-http because 1236 00:42:46,800 --> 00:42:49,599 i think it's tends to reinvent wheels 1237 00:42:49,599 --> 00:42:51,520 all the time most other protocols use 1238 00:42:51,520 --> 00:42:54,640 srv records for this purpose 1239 00:42:54,640 --> 00:42:56,480 and i know the http workgroup in the 1240 00:42:56,480 --> 00:42:59,119 ietf is working on a different record 1241 00:42:59,119 --> 00:43:01,839 specifically for http which also allows 1242 00:43:01,839 --> 00:43:04,000 you to prioritize where you come from 1243 00:43:04,000 --> 00:43:06,640 and even segments of your website can be 1244 00:43:06,640 --> 00:43:09,359 uh separately redirected 1245 00:43:09,359 --> 00:43:12,079 so that there will be a general solution 1246 00:43:12,079 --> 00:43:13,359 that might even be 1247 00:43:13,359 --> 00:43:16,400 uh might even end up in browsers 1248 00:43:16,400 --> 00:43:19,440 inshallah uh but it's not there yet uh 1249 00:43:19,440 --> 00:43:20,880 there are things like out and you've 1250 00:43:20,880 --> 00:43:23,119 seen defined sv records 1251 00:43:23,119 --> 00:43:24,160 yeah yeah 1252 00:43:24,160 --> 00:43:25,760 but the browsers will have to read them 1253 00:43:25,760 --> 00:43:26,960 and and and 1254 00:43:26,960 --> 00:43:28,800 apply them right 1255 00:43:28,800 --> 00:43:30,960 and it will still have to 1256 00:43:30,960 --> 00:43:33,839 be specified such that it works kind of 1257 00:43:33,839 --> 00:43:36,480 like hsts which is like these are the 1258 00:43:36,480 --> 00:43:39,280 alternative endpoints uh 1259 00:43:39,280 --> 00:43:41,200 cache this information for the next 1260 00:43:41,200 --> 00:43:42,560 whatever 1261 00:43:42,560 --> 00:43:45,760 and also this solution uh those headers 1262 00:43:45,760 --> 00:43:48,720 you will not be able uh to update the 1263 00:43:48,720 --> 00:43:52,160 configuration on the visitor browser uh 1264 00:43:52,160 --> 00:43:54,480 unless your website is up 1265 00:43:54,480 --> 00:43:55,839 right because you're not getting those 1266 00:43:55,839 --> 00:43:58,160 headers as far as i understand 1267 00:43:58,160 --> 00:44:00,720 uh your dns infrastructure needs to be 1268 00:44:00,720 --> 00:44:02,640 open that's right your dns 1269 00:44:02,640 --> 00:44:04,480 infrastructure needs to be open 1270 00:44:04,480 --> 00:44:07,200 yeah yeah but uh what i've 1271 00:44:07,200 --> 00:44:08,720 sorry yes you're right but what i've 1272 00:44:08,720 --> 00:44:10,480 what i've seen is something called alt 1273 00:44:10,480 --> 00:44:11,680 svc 1274 00:44:11,680 --> 00:44:14,000 uh i can't remember what the acronym is 1275 00:44:14,000 --> 00:44:16,560 for and that's an http header uh that 1276 00:44:16,560 --> 00:44:19,280 specifies alternative endpoints kind of 1277 00:44:19,280 --> 00:44:21,280 sort of sort of thing 1278 00:44:21,280 --> 00:44:23,200 uh 1279 00:44:23,200 --> 00:44:25,200 and and this could potentially be a 1280 00:44:25,200 --> 00:44:27,680 solution like like this but again you 1281 00:44:27,680 --> 00:44:29,839 would not be able to update the visitors 1282 00:44:29,839 --> 00:44:30,720 uh 1283 00:44:30,720 --> 00:44:32,480 config 1284 00:44:32,480 --> 00:44:34,160 when your website is down right with 1285 00:44:34,160 --> 00:44:36,240 with the dns i agree right but also with 1286 00:44:36,240 --> 00:44:38,240 the dns if you're 1287 00:44:38,240 --> 00:44:39,920 if your website is blocked then dns is 1288 00:44:39,920 --> 00:44:41,760 probably blocked right and this doesn't 1289 00:44:41,760 --> 00:44:44,000 rely on dns right because you've loaded 1290 00:44:44,000 --> 00:44:45,280 the service worker the service worker 1291 00:44:45,280 --> 00:44:47,040 has all the information it needs uh 1292 00:44:47,040 --> 00:44:48,400 already right 1293 00:44:48,400 --> 00:44:49,280 okay 1294 00:44:49,280 --> 00:44:51,440 uh any more questions 1295 00:44:51,440 --> 00:44:54,160 wow clearly a boring talk 1296 00:44:54,160 --> 00:44:56,960 uh so there's another problem uh if one 1297 00:44:56,960 --> 00:44:59,040 of the organizations in the circle gets 1298 00:44:59,040 --> 00:45:01,119 compromised suddenly you have one 1299 00:45:01,119 --> 00:45:03,440 organization that can push like militia 1300 00:45:03,440 --> 00:45:05,359 malicious content 1301 00:45:05,359 --> 00:45:06,079 to 1302 00:45:06,079 --> 00:45:08,319 that gets hosted by everyone else no it 1303 00:45:08,319 --> 00:45:10,319 cannot well it can cause it can push 1304 00:45:10,319 --> 00:45:13,599 this content uh yes right but i would 1305 00:45:13,599 --> 00:45:14,880 imagine that if you're running an 1306 00:45:14,880 --> 00:45:16,480 organization that is part of this pool 1307 00:45:16,480 --> 00:45:18,000 you would have a domain for your own 1308 00:45:18,000 --> 00:45:19,920 stuff websites etc and you would have a 1309 00:45:19,920 --> 00:45:21,520 separate domain 1310 00:45:21,520 --> 00:45:23,599 uh for the for the alternate event point 1311 00:45:23,599 --> 00:45:24,720 stuff right 1312 00:45:24,720 --> 00:45:27,200 in this in this pool right so 1313 00:45:27,200 --> 00:45:29,000 of course if i were running 1314 00:45:29,000 --> 00:45:30,480 infrastructure of one of those 1315 00:45:30,480 --> 00:45:32,079 organizations i would separate those 1316 00:45:32,079 --> 00:45:34,319 things very well right because i don't 1317 00:45:34,319 --> 00:45:35,680 know what's going to get pushed into 1318 00:45:35,680 --> 00:45:38,400 this right but from the perspective of a 1319 00:45:38,400 --> 00:45:40,720 of a website operator who's relying on 1320 00:45:40,720 --> 00:45:42,000 those alternative endpoints the 1321 00:45:42,000 --> 00:45:43,760 subresource integrity and signed 1322 00:45:43,760 --> 00:45:45,359 integrity just solve this problem 1323 00:45:45,359 --> 00:45:47,359 because if somebody pushes the 1324 00:45:47,359 --> 00:45:49,920 you know modified malicious whatever 1325 00:45:49,920 --> 00:45:52,400 code to their alternative endpoint that 1326 00:45:52,400 --> 00:45:53,839 you're going to use 1327 00:45:53,839 --> 00:45:56,160 it will they will not be able to sign 1328 00:45:56,160 --> 00:45:58,880 the integrity package right so so 1329 00:45:58,880 --> 00:46:00,400 the service workers just say oh that was 1330 00:46:00,400 --> 00:46:02,480 some kind of a bug it doesn't matter 1331 00:46:02,480 --> 00:46:04,560 yeah but there are some types of content 1332 00:46:04,560 --> 00:46:07,200 that gets uh you can get a website down 1333 00:46:07,200 --> 00:46:10,800 uh like uh police raid just uh by the 1334 00:46:10,800 --> 00:46:12,240 presence of the fire oh yeah but but 1335 00:46:12,240 --> 00:46:13,520 that's why that's why i use the word 1336 00:46:13,520 --> 00:46:15,200 community right that you have to have a 1337 00:46:15,200 --> 00:46:17,839 community of organizations and then 1338 00:46:17,839 --> 00:46:19,280 you you have to trust each other a 1339 00:46:19,280 --> 00:46:21,200 little bit right it's not a completely 1340 00:46:21,200 --> 00:46:22,480 trustless 1341 00:46:22,480 --> 00:46:25,119 and i will save you now yay 1342 00:46:25,119 --> 00:46:27,200 so please um as we are at the end of the 1343 00:46:27,200 --> 00:46:29,200 time for this talk please please give 1344 00:46:29,200 --> 00:46:31,119 our speaker another very 1345 00:46:31,119 --> 00:46:33,040 cool round of applause 1346 00:46:33,040 --> 00:46:34,720 thank you thank you 1347 00:46:34,720 --> 00:46:36,160 i have stickers if anybody wants 1348 00:46:36,160 --> 00:46:39,879 stickers i have stickers 1349 00:46:45,440 --> 00:46:47,520 you