Open flyingzumwalt opened 7 years ago
First thought. IPFS uses content-address to verify that the content is the content for which you are looking. This means that SSL certificates are not needed in order to prevent man-in-the-middle attacks.
The only time when I can see a sort of man-in-the-middle attack is when a resource (web page) includes a dependency for which it doesn't have control over (3rd-party IPNS addressed library). In this case, the application would need to trust this IPNS address to not be malicious. Ultimately, control over what the dependency could access would be preferable.
Not much else to comment at the moment.
Worth being aware that in event of HTTP gateway misconfiguration, ServiceWorker could take control over all /ipfs/*
and /ipns/*
gateway responses.
Details: https://github.com/ipfs/go-ipfs/issues/4025 + additional explanation in https://github.com/ipfs/go-ipfs/issues/4025#issuecomment-364402875
In order to be confident about deploying the IPFS service worker we want to ensure security + privacy for users running the service worker.