Is Point Network a Threat to Internet Computer ($ICP)/Dfinity?
Congratulations, you actually decided to read the piece first instead of posting a knee-jerk reaction like many others that you will undoubtfully see in the comments. We joke that web1 was read-only, but web2 is write-only, where people don’t fully or sometimes at all read what they opine on. If you see one, feel free to reply RTFA.
I. What happened?
Point Network (pointnetwork.io) claims that there was no full web3 until now, only web 2.5. The so-called “web3” applications right now are not decentralized, because they still rely on:
- centralized domains that can be taken away or compromised
- centralized storage that can and does get censored
- and browser extensions like Metamask that Google can pull out at any moment.
Contrasted with this, Point Network claims it’s world’s first full web3 architecture, where the decade-long dream of fully decentralized internet, free of censorship and mass-surveillance, can be finally fulfilled. That’s the gist of it. And of course it ruffled some feathers.
Despite us not calling out any specific product names, a lot of people that have invested in “web3” projects took offense and came to argue with us. One of those projects was Internet Computer by Dfinity. And while we don’t pay much attention to random commentators, it’s quite an event when someone officially affiliated with a large project comes to spar with us.
II. How it started
DC_Editor, which was Head of Product at Dfinity Community in June when this happened (and now Head of Marketing at Infinity Swap), opened up with an amusing pun:
Instead of exchanging superficial insults, we went right to the bone and matter-of-factly pointed out how their own developers had to admit that ICP is not decentralized.
After which he had to back up, saying the page is from 2020, and then talking about “becoming increasingly decentralized”.
After we pointed out that yes, it’s quite strange that while the page is from 2020, nothing has changed since then and the same holds true in 2022, the conversation ended.
But not with a lot of ICP fans, who every day come to our comments to talk about Internet Computer. So we wrote this article for them.
III. Is Internet Computer Decentralized?
Let’s get clear on the terms. Decentralization in this context doesn’t mean the number of nodes, or decentralization of the tokenomics. We want to establish one simple thing: is there a central point between dApps and the end user, through which dApp content can be censored, compromised, and mass-surveilled?
Because that is what web 3.0 truly means: the new kind of internet, which forever stops censorship attempts, man-in-the-middle attacks, and mass-surveillance.
Domain Names
When you need to connect to a canister dApp on Internet Computer, where do you go? You type in the canister’s subdomain, which resides on the domain *.ic0.app (for example, Enoki DEX is at https://5ba5l-caaaa-aaaag-qaoja-cai.ic0.app). The DNS requests are going through Cloudflare, and HTTPS requests are signed with SSL certificates from Let’s Encrypt by Google. So, it doesn’t matter how many nodes you have on the network, when you access them through one straw which can be easily hijacked. So let’s calculate the consequences.
Can it be censored? Yes, Internet Computer is renting the ic0.app domain from Google (.app space belongs to them), and Google is renting .app space from ICANN in the US. Currently the Dfinity Foundation rented the domain space until 2023, but it follows that, if the domains can be taken away in 2023 on the grounds of non-payment, they can be taken away at any moment if they need to be censored. Then it’s game over.
Can it be compromised? In the screenshot above you can also see that the name servers are managed by Cloudflare. And it’s not just the problem with IC only, you’ll find that a lot of other “web3” projects use Cloudflare to proxy their IPFS requests, sliding into a false sense of security, until they regret it. You can read a story here how BadgerDAO users have lost $130M because they relied on Cloudflare and it got compromised.
If hackers could do it, no doubt government agencies can go to Cloudflare and order them to change the output from a certain canister, to either say that the website has been suspended, or adding a scam page tricking the user to give up their seed phrase, or just add certain scripts quietly exfiltrating all information on the dApp. They can even do that selectively for specific targets, so that other IC users won’t even know it and won’t be able to verify the threat, even if it someone notices something.
Can it be mass-surveilled? Right now, when you’re making any requests to a canister, you’re asking Cloudflare DNS servers for the final IP address. There is no doubt that Cloudflare logs every DNS request (if only for their anti-DDOS services analytics), so it’s trivial to know which canisters you’re using, and at which times of the day. That would be enough to dox all users, but it’s worse: since the unencrypted traffic itself goes through Cloudflare, it sees and knows everything, down to every single action you’re doing on the dApp.
Q: What about websites like https://dscvr.one/? Unfortunately, custom domains only look nice, but .one domain still belongs to ICANN, and the IP addresses are still Cloudflare’s.
Q: What about ICNS, .icp domains? ICNS is selling .icp names on the blockchain, which functions like .eth names in Ethereum Name Service, .sol domains in Solana, etc., this is not a new idea. However, all these web3 domains, including .icp domains, are then resolved via a web2 gateway .icp.xyz (so, test.icp becomes test.icp.xyz). Don’t get us wrong, web2 gateways are a good idea, we have one too (social.point -> social.point.link), but this is not enough — it’s still a centralized web2 domain, with all the consequences. This is why our .point.link gateway is read-only on purpose: while you can, if you want, share a link to your web3 post with your friends on web2 social media, but if they want to like, subscribe or comment they will see the message saying they have to use Point Browser to actually do that.
Q: But your Point Network website is also on a web2 domain pointnetwork.io, and uses DigitalOcean! If you’ve read this far and are asking this question, you still don’t understand the core problem. We’re not talking about websites where you read about the software and download it. Yes, Bitcoin also has a web2 website bitcoin.org, from where you download the software (or you do it from github, just like you can do with Point).
The most important thing is what happens after. If, after you install Bitcoin, all your queries are then still running through centralized domain names and servers, where your transactions are monitored and can be censored, you would be pissed off, and rightly so. So the problem with IC is not that their main website is accessed through a centralized point, there’s really no other way, but that the dApps are.
IV. So how does Point Network stack up?
To be fair, this is not just a flaw with Internet Computer. This is the flaw with the whole web3 industry right now, conflating the potential dream of web3 with its actual arrival. Left and right, so called “web3” projects call themselves “d”Apps (decentralized apps), yet they still rely on centralized domains, they still use centralized storage (even if they use IPFS, it’s all useless because it’s proxied by Cloudflare or gateways), and the actions are signed through browser extensions like Metamask that e.g. Google can delete at any moment, when the war between Big Tech/governments and web3 will actually start.
This is why we came up with the full solution to this problem, once and for all. Let’s see how we deal with the same issues above, once you download and run Point Browser.
Domains. All dApps are accessed via .point domains, which live on the blockchain. When you register your handle, say, @mike, you get mike.point domain + all the subdomains. No one can take the domain away from you, if you register it, it’s yours forever. Then, each update to your website or dApp is a transaction on the blockchain signed by you, changing the [hash of the domain’s attached root folder]. Thanks to this, Point Browser doesn’t need to consult any centralized DNS servers, because everyone on the blockchain knows who the owner of the domain is and what the root folder hash is.
Storage. Now that Point Browser knows the [root folder hash], it needs to download the folder from decentralized storage. For storage, we use Arweave, decentralized storage network (they’re also one of our backers). A crucial thing to understand is that we don’t even trust Arweave gateways. When you navigate to an IPFS or Arweave gateway right now for any random file, your browser has no idea whether the requested content hashes to the value you asked for in the URL. Point does, and make sure that the content returned is exactly what the owner put there, before sending it to Point Browser. If there is any funny business, and the hashes don’t match, it chooses another gateway or asks other Arweave nodes, until it finds the right one.
How strict are those rules? So strict, that you cannot even open web2 websites like facebook.com in Point Browser (it will redirect you to your legacy browser) or have any communication with web2 IP addresses (like Google Analytics). Just like blockchains are meant to be so isolated from the messy outside world that you have to use oracles to bring stuff from the outside, web3 in Point’s rendition is completely separated from the old internet, growing into its own digital space. While other projects are trying to put wheels on horses, this is the first attempt to actually build a prototype of a car. And it works.
Isn’t this going to be a problem that you blocked web2? No, it’s a very important feature. If we allowed connections to web2, some developers could have become lazy again, cut corners by storing things in a centralized way, and then proclaim their application is decentralized. By enforcing this full decentralization paradigm, the developers have no choice but design their apps fully decentralized from the start, giving their users confidence that they’re truly dApps, that they will not be selectively served malware, and that the beautiful NFT they bought won’t turn into a poop emoji tomorrow.
Will people download the browser though? People are used to download apps, and it’s just another app. Once they understand the importance of web3 (and many already do), it’s not going to be a nuisance, but a refreshing move towards liberation, towards digital freedom.
Don’t we already have browsers like Chrome and Firefox? Are you trying to compete with them? And don’t we already have web3 browsers, like Opera or Brave? It’s more akin to Tor Software. Just like Tor Browser doesn’t compete with Firefox (in fact, it uses Firefox underneath, just like we do) but is in its own niche, just like you would have to use Tor Browser to access Deep Web, you have to use Point Browser to access real web3 space. The browser itself is not even as important as the engine behind it that routes the web3 requests. And Brave and Opera are great, but they are just browsers with some web3 tools enabled, not fully web3 browsers (e.g. you can still reach web2 in them).
What is the status of the project? Compared to ICP, which is a long-running brand, you have discovered us quite early! We’re currently in public alpha and already have thousands of early adopters that installed Point Network and registered on it, and a lot of them are having fun using it. The next step is a testnet, the public sale of $POINT (token that will be used for transaction fees on Point Chain) in mid-August 2022, and then the mainnet launch in September (so while you’re still early, we’re moving very fast!) It will then the be the community’s turn to make Point decentralized not only vertically in its architecture, but also horizontally in the number of nodes.
V. So, is Point Network going to take over web3 and replace ICP and other web3 projects?
No, this is not our masterplan, for one simple reason: because we’re not just another chain that tries to compete with others like it, running dick-measuring contests for who can do the most transactions per second. Yes, we will have our own default Point Chain, but the innovation is not on the chain level, and we are not restricting our users to only use ours, because we have a whole browser that is capable of connecting to any chain that is plugged in.
How do you connect to other chains? Bridges? No, although bridges can be supported in Point Wallet. We’re talking about connecting directly. See, we didn’t talk about browser extensions yet, which can (and will) be censored and/or compromised. And the way we solved this problem is by having our own browser, and instead of using web3 browser extensions, we mimic their API. Yes, we mimic Metamask and Phantom Wallet APIs, so the existing dApps don’t need any changes to run in Point Browser. They think they’re talking to Metamask, but in actuality we intercept it and open our beautiful confirmation window instead, for all supported networks (so that you could go to uniswap.point and do a transaction on Ethereum one minute, and then jump to raydium.point to do one on Solana the next, all from Point Browser).
Not only we are not trying to compete with ICP, or Ethereum, or Polkadot, or Avalanche, but we can integrate all of them into our multi-chain architecture, so that all of them are more decentralized and secure thanks to the technology behind Point.
Our grand vision is finally unifying all networks, so that you could access all networks from one point, pardon the pun. Even Bitcoin maximalists will be happy, because they would be able to use their Lightning Network payments in Point Wallet.
Yes, it will require a lot of resources and effort. And you can probably understand why, if some projects keep coming to attack our work (and especially their officials) without bringing any substance, our team might be a tad discouraged from giving a high priority to spending resources on their integration into the real web3. So if you’ve read this far, please lay down your thoughts under the original tweet, otherwise again, all the positive people will only click “Like” or “Retweet”, but it’s all the negative people that didn’t even read the article that will fill the comments with their rubbish, skewing the statistics.
Our real war is not with each other. It will be with Big Tech and governments that won’t want to lose their power to web3. So instead of turning this space into a religious holy war battlefield, communities should help strengthen each other and plug in holes in the architectures, so that when the real strike comes, we’re ready.
What’s next?
Hopefully this article explained that while we do believe that all web3 projects are not sufficiently decentralized right now, we don’t think it’s a lost cause, and instead of competing with them, we can simply integrate them into our tech, so that the chain diversity is preserved.
If you’re interested more in what Point Network is and does, then here’s how you can read about it and reach out to us to ask questions:
• Website/Download Alpha: https://pointnetwork.io
• Roadmap: https://roadmap.pointnetwork.io/
• Telegram Community Chat: https://t.me/pointnetworkchat
• Telegram Announcements: https://t.me/pointnetwork
• Discord: https://pointnetwork.io/discord
• Follow us on Twitter: https://pointnetwork.io/twitter
Come and ask us any questions you have, we’ll be happy to answer!
And have a happy web3 journey!
Point Network Team
— — — —