ZeroID is not truly decentralised

[zavok]

I see some hardlnks into clearnet in the sources. It's very bad when such an important task as user identification is provided by some outside authority and not by ZeroMet itself. Is there already work being done to make ZeroID independent of centralized server?

And I think the fact that ZeroID goes outside should be properly disclosed on the page. (Especially if it's by design)

[HelloZeroNet]

ZeroID is only for one thing: to have some control over user accounts to fight spam. You can create your own ZeroID provider with your own rules (invite only, proof of burn, proof of work etc.) (for example an alternative provider: zeroverse.bit) If you don't need spam protection you can also generate it in the browser without contacting the ID provider. (Someone created an example for this: http://127.0.0.1:43110/16KzwuSAjFnivNimSHuRdPrYd1pNPhuHqN)

Later it can be solved by blockchain based identities, but I think, at the current state of the project it would be a bad idea to require to destroy bitcoins in order to join the network.

[abcdabcd987]

Hi @HelloZeroNet ,

I'm a little bit puzzled about how ZeroID can protect a site from spam. It seems to me that a bot can register thousands of IDs on ZeroID (or ZeroVerse), publish all sorts of spam, and then just sit and wait the network to distribute the contents. In this case, even a blacklist can't help, since the cost of registration is so low.

Could you please explain how the spam protection works? Thanks.

[HelloZeroNet]

currently it implements some simple IP/JS based protection, if the automated registration becomes problem we can require captcha, facebook/twitter/google/email verification or similar.

[abcdabcd987]

@HelloZeroNet I think CAPTCHA is never a problem. There are hundreds of websites providing CAPTCHA recognition service by human beings with cheap price.

And if connected to IDs of outside world (email, google, phone, etc), the site loses its anonymity. (But since ZeroNet value distribution more than anonymity, this may be a good solution :-)

[Erkan-Yilmaz]

ZeroVerse doesn't allow for that reason (and also because of leaking data (IP,...)) registration via web.

It relies on BitMessage's POW (proof of work). If I notice "something", I increase the demanded difficulty.

All other registration ways ZeroVerse supports (e.g. via Zeromail / mail@zeroverse, irc) have an additional human-check involved.

Also, if spam would get one day out-of-hand, each site admin can block (individual) spammers (1), easily. And if all wouldn't help, one can remove the ID provider completely (2).

(1) http://127.0.0.1:43110/zeroblog.bit/?Post:10:banning+users (2) section "III. how to allow ZeroVerse.bit users on my site?" in: http://127.0.0.1:43110/zeroblog.bit/?Post:15:get+yourself+an+ID+@+ZeroVerse.bit

[HelloZeroNet]

i doubt proof of work can solve this: someone with a decent gpu can solve bitmessage's algorithm 1000x faster than my cpu. so for example if we require 10 minute cpu work to register a spammer can still create new registration every second

so i think the only real solution to open reqistartions is require bitcoin to be paid on account creation (proof of donate/proof of burn), but the network is not ready for this yet

[abcdabcd987]

@Erkan-Yilmaz

Banning individual does not help. As soon as you ban an account, ten more account can be registered.

Removing unqualified ID provider is works. However, this leads to another problem: are there any ID provider that is trustworthy? And I think this is quite hard if anonymity is on demand (see my earlier comment, and since anonymity is not ZeroNet's focus, I think this is acceptable.)

[Erkan-Yilmaz]

are there any ID provider that is trustworthy? And I think this is quite hard if anonymity is on demand

It depends, e.g. you can assume that ZeroID doesn't want to hurt the project ZeroNet, so they should be the most trustworthy (than anyone else).

I decided for ZeroVerse to support only BitMessage due to anonymity reasons (ZeroVerse offers also registering via ZeroMail, mail@zeroverse, irc, ... It's less good, but: they also lead to BitMessage registration eventually).

Also, all site admins in ZeroNet are Gods (1)(2), and people who access their PCs have then similar ability :-( Be it hackers, NSA (or local version for your country), ... who might be interested in this. So, it's better to clone a ZN site for yourself, and you become your own God. Also, see section what HelloZeroNet wrote in his first comment here: "you can also generate it in the browser without contacting the ID provider ..."

(1) see G013 in http://127.0.0.1:43110/zerosecurity.bit (2) e.g. impersonation could be done

[icf20]

so i think the only real solution to open reqistartions is require bitcoin to be paid on account creation

in my opinion it should be proof of balance is better, meaning the address need to have 1/2/3/X/BTC all the time, it wont cost people money but will force them to "park" a certain amount of bitcoin

[HelloZeroNet]

Can you please explain how would it prevent spamming?

[TheNain38]

@HelloZeroNet @icf20 The problem, is that it will not solve the biggest problem that the ZeroID provider, could possibly impersonate users...

[icf20]

Can you please explain how would it prevent spamming?

Imagine i configure my node to only permanently save and seed files if the address used has 1 bitcoin or more deposited so for example 1TaLkFrMwvbNsooF4ioKAY9EuxTBTjipT should have 1 BTC or more if that is not true my node will automatically delete the content

sure you can spam 10 sites if you have 10 bitcoins but also I can update the minimum bitcoin required for saving+seeding at 10 if you want now to spam 10 zeroblogs well you need to have 100 bitcoins

by doing this you still keep total control if your money and you dont have to spend your funds, if the content you are putting on zeronet really has any value then you will accept to "park" some funds in exchange for file distribution

note user should also be allowed to save and seed content for free for "friends/favourite" sites

you extend this to user so you can have a list of users that dont need to have btc parked to post on zerotalk but the rest need to have X amount of bitcoin, you can take this "proof of balance"· and implement it in anyway you want

[HelloZeroNet]

so for example 1TaLkFrMwvbNsooF4ioKAY9EuxTBTjipT should have 1 BTC or more if that is not true my node will automatically delete the content

but if your spam gets deleted, you just move the funds to other account and you can spam again

[icf20]

moving and mixing bitcoins is not for free, also the market value of those coins will decrease because are spammer coins

[danimesq]

We can use blockchain to solve it.

[0polar]

It is intelligent to use Namecoin. True decentralised.

[lezsakdomi]

Freenet solved this with the idea of making users to generate captchas for each other.

Maybe we could also generate a few captchas after successful registration and hiving users at registration to fill someone's captchas. (Captchas may be used only once, and when collision happens, one should choose an other one and all his actions made so far should be re-signed.) If someone generates fake captchas, then we could easily find the root of that tree (since we stored who solved whose captcha thus creating an anonymus pyramid scheme).

What do you think?

PS. This idea needs more work: Who is responsible for takedown in the event of misuse, how to implement it in the current authentication model, and so on.

[darkwiz666]

ZeroVerse doesn't allow for that reason (and also because of leaking data (IP,...)) registration via web.

It relies on BitMessage's POW (proof of work). If I notice "something", I increase the demanded difficulty.

All other registration ways ZeroVerse supports (e.g. via Zeromail / mail@zeroverse, irc) have an additional human-check involved.

Also, if spam would get one day out-of-hand, each site admin can block (individual) spammers (1), easily. And if all wouldn't help, one can remove the ID provider completely (2).

(1) http://127.0.0.1:43110/zeroblog.bit/?Post:10:banning+users (2) section "III. how to allow ZeroVerse.bit users on my site?" in: http://127.0.0.1:43110/zeroblog.bit/?Post:15:get+yourself+an+ID+@+ZeroVerse.bit

All this means is that you'll never get a reply from him now because A)No one is on his IRC and B)He no longer has interest in the project, so BitMessage messages go unanswered...

[lezsakdomi]

This process could be automated if someone has funds for a server.

(For ex. auto-accept accounts in under 24 hours if no activity)

[frankwalter1301]

It is not ZeroID that is not decentralized, but the design. The situation is the same as that of HTTPS, there are authorities trusted by everyone and that's it, but centralized authorities are always, yes everyone can make his own authority and anyone can add it to the trusted ones, but who does it? Nobody. And who does not trust the authorities is forced to use them anyway because it does not depend on him, but on the sites he uses. Even if @HelloZeroNet says that everyone can create their own authority, nobody will trust it. Of course, each site can create its own login system, possibly without the use of authority and even get spam. Or implementing something with smart contracts. But the problem is for visitors who cannot fully rely on a decentralized system, and when they have to use normal sites like zerotalk etc... they will be forced to rely on centralized powers and are obliged to trust them.

[yanmaani]

My proposed solution: #43