Medium Weekly Digest # 4 (2 - 9 Aug 2019)

Censorship sees the world as a semantic system in which information is the only reality, and that which is not written about does not exist.



- Michael Geller

This digest is designed to increase the interest of the Community in the issue of privacy, which in the light of recent events is becoming more relevant than ever.



On the agenda:

• "Medium" completely switches to Yggdrasil
• Medium creates its own DNS inside the Yggdrasil network
• Medium introduces the ability to automatically issue certificates signed by Medium Root CA

Remind me - what is Medium?

Medium (Eng. Medium - “intermediary”, original slogan - Don’t ask for your privacy. Take it back ; also in English the word medium means “intermediate”) - a Russian decentralized Internet provider that provides access to the Yggdrasil network for free basis.



Full name - Medium Internet Service Provider. Initially, the project was conceived as a Mesh network in the Kolomensky urban district .



It was established in April 2019 as part of the creation of an independent telecommunications environment by providing end users with access to Yggdrasil network resources using Wi-Fi wireless data technology.

"Medium" completely switches to Yggdrasil

Yggdrasil is a self-organizing Mesh network with the ability to connect routers both in overlay mode (over the Internet) and directly to each other via a wired or wireless connection.



Yggdrasil is a continuation of the CjDNS project. The main difference between Yggdrasil and CjDNS is the use of the STP (spanning tree protocol) protocol.



By default, all network routers use end-to-end encryption to transfer data between other participants.



The decision to switch all Medium access points from I2P to Yggdrasil was due to the need to increase the connection speed and the ability to deploy a Mesh network with Full-Mesh topology.

Medium creates its own DNS inside the Yggdrasil network

Initially, the Yggdrasil network did not have a centralized domain name server that could allow network participants to access the most frequently visited resources in a simpler and more familiar form (as opposed to using an IPv6 address for a specific server).



We at Medium decided to breathe life into this idea - and, looking a little ahead, we did it!







Domain names are registered automatically - just enter the IPv6 address of the server on which the service is running. The robot will check whether this address really belongs to the person who is trying to register the domain name.



If successful, the domain name will be added to the domain name database within 24 hours. If the server stops responding to the robot and is unavailable for more than 72 hours, the domain name will be released.



A copy of the full list of registered domain names is in the repository on GitHub .

Medium introduces the ability to automatically issue certificates signed by Medium Root CA

The creation of a domain name server was also caused by the need to deploy a public key infrastructure - in order to issue a certificate, it requires the presence of a CN (Common Name) field, which is the domain name for which the certificate is issued.



The procedure for issuing certificates signed by a certification authority takes place automatically - the robot checks the correctness and authenticity of the data entered by the user. If successful, an email is sent to the end user, including a signed certificate.

What is the reason for using HTTPS in the Yggdrasil network?

There is no need to use the HTTPS protocol to connect to web services on the Yggdrasil network if you connect to them through a locally working Yggdrasil network router.



Indeed: Yggdrasil transport at the protocol level allows you to safely use resources within the Yggdrasil network - the possibility of conducting a MITM attack is completely excluded.



The situation changes radically if you get access to the Yggdarsil intranet resources not directly, but through an intermediate node - the access point of the Medium network, which is administered by its operator.



Who in this case can compromise the data that you transmit:

1. Access Point Operator . Obviously, the current Medium access point operator can listen to unencrypted traffic that passes through its equipment.
2. Attacker (the man in the middle ). Medium has a problem similar to that of the Tor network , only with respect to the input and intermediate nodes.

Solution : use the HTTPS protocol (level 7 of the OSI model ) to access web services within the Yggdrasil network. The problem is that it is not possible for Yggdrasil network services to issue a genuine security certificate by conventional means such as Let's Encrypt .



Therefore, we established our own certification authority - “Medium Root CA” . All Medium network services are signed by the root security certificate of this certification authority.



The possibility of compromising the root certificate of the certification authority was certainly taken into account - but here the certificate is more necessary to confirm integrity during data transfer and exclude the possibility of MITM attacks.



The Medium network services from different operators have different security certificates, one way or another signed by the root certification authority. However, the operators of the root certification authority are not able to listen to the encrypted traffic of the services to which they signed the security certificates (see "What is CSR?" ).



Those who are especially concerned about their safety can use such tools as PGP and the like as additional protection.



At the moment, the Medium network public key infrastructure has the ability to verify the status of a certificate using the OCSP protocol or through the use of CRL .

Free Internet in Russia starts with you

You can provide all possible assistance to the establishment of a free Internet in Russia today. We have compiled an exhaustive list of exactly how you can help the network:

• Share the Medium network with your friends and colleagues. Share a link to this article on social networks or a personal blog.
• Take part in the discussion of the technical issues of the Medium network on GitHub
• Create your web service on the Yggdrasil network and add it to the Medium DNS network
• Raise your Medium Access Point

---

Previous issues:



Medium Weekly Digest # 1 (12 - 19 Jul 2019)

Medium Weekly Digest # 2 (19 - 26 Jul 2019)

Medium Weekly Digest # 3 (26 Jul - 2 Aug 2019)

---

Read also:



Honey we kill the internet

Decentralized Internet Service Provider Medium - Three Months Later

Medium is the first decentralized Internet service provider in Russia



We are on Telegram: @medium_isp