Is Point Network a Threat to Internet Computer ($ICP)/Dfinity?

I. What happened?

Point Network (pointnetwork.io) claims that there was no full web3 until now, only web 2.5. The so-called “web3” applications right now are not decentralized, because they still rely on:

1. centralized domains that can be taken away or compromised
2. centralized storage that can and does get censored and browser extensions like Metamask that Google can pull out at any moment.

Contrasted with this, Point Network claims it’s world’s first full web3 architecture, where the decade-long dream of fully decentralized internet, free of censorship and mass-surveillance, can be finally fulfilled. That’s the gist of it. And of course it ruffled some feathers.

Lots of people that have invested in “web3” projects took offense. One of those projects was Internet Computer by Dfinity. And while we don’t pay much attention to random commentators, it’s quite an event when someone officially affiliated with a large project comes to spar with us.

II. How it started
DC_Editor, which was Head of Product at Dfinity Community in June when this happened (and now Head of Marketing at Infinity Swap), opened up with an amusing pun:

Instead of exchanging superficial insults, Point Network went right to the bone and matter-of-factly pointed out how their own developers had to admit that ICP is not decentralized.

After which he had to back up, saying the page is from 2020, and then talking about “becoming increasingly decentralized”.

After PN team pointed out that yes, it’s quite strange that while the page is from 2020, nothing has changed since then and the same holds true in 2022, the conversation ended.

But not with a lot of ICP fans, who every day come to our comments to talk about Internet Computer.

III. Is Internet Computer Decentralized?
Let’s get clear on the terms. Decentralization in this context doesn’t mean the number of nodes, or decentralization of the tokenomics. Point Network wants to establish one simple thing: is there a central point between dApps and the end user, through which dApp content can be censored, compromised, and mass-surveilled?

Because that is what web 3.0 truly means: the new kind of internet, which forever stops censorship attempts, man-in-the-middle attacks, and mass-surveillance.

Domain Names
When you need to connect to a canister dApp on Internet Computer, where do you go? You type in the canister’s subdomain, which resides on the domain *.ic0.app (for example, Enoki DEX is at https://5ba5l-caaaa-aaaag-qaoja-cai.ic0.app). The DNS requests are going through Cloudflare, and HTTPS requests are signed with SSL certificates from Let’s Encrypt by Google. So, it doesn’t matter how many nodes you have on the network, when you access them through one straw which can be easily hijacked. So let’s calculate the consequences.

Can it be censored? Yes, Internet Computer is renting the ic0.app domain from Google (.app space belongs to them), and Google is renting .app space from ICANN in the US. Currently the Dfinity Foundation rented the domain space until 2023, but it follows that, if the domains can be taken away in 2023 on the grounds of non-payment, they can be taken away at any moment if they need to be censored. Then it’s game over.

Can it be compromised? In the screenshot above you can also see that the name servers are managed by Cloudflare. And it’s not just the problem with IC only, you’ll find that a lot of other “web3” projects use Cloudflare to proxy their IPFS requests, sliding into a false sense of security, until they regret it. You can read a story here how BadgerDAO users have lost $130M because they relied on Cloudflare and it got compromised.

If hackers could do it, no doubt government agencies can go to Cloudflare and order them to change the output from a certain canister, to either say that the website has been suspended, or adding a scam page tricking the user to give up their seed phrase, or just add certain scripts quietly exfiltrating all information on the dApp. They can even do that selectively for specific targets, so that other IC users won’t even know it and won’t be able to verify the threat, even if it someone notices something.

Can it be mass-surveilled? Right now, when you’re making any requests to a canister, you’re asking Cloudflare DNS servers for the final IP address. There is no doubt that Cloudflare logs every DNS request (if only for their anti-DDOS services analytics), so it’s trivial to know which canisters you’re using, and at which times of the day. That would be enough to dox all users, but it’s worse: since the unencrypted traffic itself goes through Cloudflare, it sees and knows everything, down to every single action you’re doing on the dApp.

IV. So how does Point Network stack up?

You can Download Alpha and try it out at https://pointnetwork.io/
To be fair, this is not just a flaw with Internet Computer. This is the flaw with the whole web3 industry right now, conflating the potential dream of web3 with its actual arrival. Left and right, so called “web3” projects call themselves “d”Apps (decentralized apps), yet they still rely on centralized domains, they still use centralized storage (even if they use IPFS, it’s all useless because it’s proxied by Cloudflare or gateways), and the actions are signed through browser extensions like Metamask that e.g. Google can delete at any moment, when the war between Big Tech/governments and web3 will actually start.

Domains. All dApps are accessed via .point domains, which live on the blockchain. When you register your handle, say, @mike, you get mike.point domain + all the subdomains. No one can take the domain away from you, if you register it, it’s yours forever. Then, each update to your website or dApp is a transaction on the blockchain signed by you, changing the [hash of the domain’s attached root folder]. Thanks to this, Point Browser doesn’t need to consult any centralized DNS servers, because everyone on the blockchain knows who the owner of the domain is and what the root folder hash is.

Storage. Now that Point Browser knows the [root folder hash], it needs to download the folder from decentralized storage. For storage, we use Arweave, decentralized storage network (they’re also one of our backers). A crucial thing to understand is that we don’t even trust Arweave gateways. When you navigate to an IPFS or Arweave gateway right now for any random file, your browser has no idea whether the requested content hashes to the value you asked for in the URL. Point does, and make sure that the content returned is exactly what the owner put there, before sending it to Point Browser. If there is any funny business, and the hashes don’t match, it chooses another gateway or asks other Arweave nodes, until it finds the right one.

Point Social, web3 uncensorable social network at social.point, accessible in Point Browser
How strict are those rules? So strict, that you cannot even open web2 websites like facebook.com in Point Browser (it will redirect you to your legacy browser) or have any communication with web2 IP addresses (like Google Analytics). Just like blockchains are meant to be so isolated from the messy outside world that you have to use oracles to bring stuff from the outside, web3 in Point’s rendition is completely separated from the old internet, growing into its own digital space. While other projects are trying to put wheels on horses, this is the first attempt to actually build a prototype of a car. And it works.

Isn’t this going to be a problem that you blocked web2? No, it’s a very important feature. If we allowed connections to web2, some developers could have become lazy again, cut corners by storing things in a centralized way, and then proclaim their application is decentralized. By enforcing this full decentralization paradigm, the developers have no choice but design their apps fully decentralized from the start, giving their users confidence that they’re truly dApps, that they will not be selectively served malware, and that the beautiful NFT they bought won’t turn into a poop emoji tomorrow.

Will people download the browser though? People are used to download apps, and it’s just another app. Once they understand the importance of web3 (and many already do), it’s not going to be a nuisance, but a refreshing move towards liberation, towards digital freedom.

Don’t we already have browsers like Chrome and Firefox? Are you trying to compete with them? And don’t we already have web3 browsers, like Opera or Brave? It’s more akin to Tor Software. Just like Tor Browser doesn’t compete with Firefox (in fact, it uses Firefox underneath, just like we do) but is in its own niche, just like you would have to use Tor Browser to access Deep Web, you have to use Point Browser to access real web3 space. The browser itself is not even as important as the engine behind it that routes the web3 requests. And Brave and Opera are great, but they are just browsers with some web3 tools enabled, not fully web3 browsers (e.g. you can still reach web2 in them).

What is the status of the project? Compared to ICP, which is a long-running brand, you have discovered us quite early! We’re currently in public alpha and already have thousands of early adopters that installed Point Network and registered on it, and a lot of them are having fun using it. The next step is a testnet, the public sale of $POINT (token that will be used for transaction fees on Point Chain) in mid-August 2022, and then the mainnet launch in September (so while you’re still early, we’re moving very fast!) It will then the be the community’s turn to make Point decentralized not only vertically in its architecture, but also horizontally in the number of nodes.

Roadmap. roadmap.pointnetwork.io
V. So, is Point Network going to take over web3 and replace ICP and other web3 projects?
No, this is not Point Network masterplan, for one simple reason: because they’re not just another chain that tries to compete with others like it, running dick-measuring contests for who can do the most transactions per second. Yes, they will have their own default Point Chain, but the innovation is not on the chain level, and they are not restricting their users to only use theirs, because Point Network has a whole browser that is capable of connecting to any chain that is plugged in.

How do you connect to other chains? Bridges? No, although bridges can be supported in Point Wallet. We’re talking about connecting directly. See, PN didn’t talk about browser extensions yet, which can (and will) be censored and/or compromised. And the way we solved this problem is by having our own browser, and instead of using web3 browser extensions, we mimic their API. Yes, Point Network mimic Metamask and Phantom Wallet APIs, so the existing dApps don’t need any changes to run in Point Browser. They think they’re talking to Metamask, but in actuality we intercept it and open our beautiful confirmation window instead, for all supported networks (so that you could go to uniswap.point and do a transaction on Ethereum one minute, and then jump to raydium.point to do one on Solana the next, all from Point Browser).

Not only they are not trying to compete with ICP, or Ethereum, or Polkadot, or Avalanche, but they can integrate all of them into their multi-chain architecture, so that all of them are more decentralized and secure thanks to the technology behind Point.

What’s next?
Hopefully this article explained that while Point Network do believe that all web3 projects are not sufficiently decentralized right now, they don’t think it’s a lost cause, and instead of competing with them, they can simply integrate them into our tech, so that the chain diversity is preserved.