In this article, I’ll explain why dapps (decentralized applications) are not decentralized in the current state of how they live and are distributed on the web.
What is a dapp ?
First of all, let’s define a dapp, a dapp is an application that is executed and/or stores some data partially or entirely on a public distributed ledger (for example cryptocurrency wallet myetherwallet, or the trading platform etherdelta.com are dapps). This definition raises few concerns immediately.
Is it possible for a dapp to run on a blockchain platform and depend only on a blockchain platform to exist and be used ? The answer is yes, of course, a dapp can be just a piece of code that some other piece of codes might call when they need to access it or communicate with it. If you consider just the code on the blockchain (for example an ERC20 smart-contract) and if you assume it has been coded correctly, you can tag your dapp as a Dapp with capital D. It is as resilient, decentralized, persistent, and strong as the blockchain platform underneath it.
Often, (at least if you want regular users using your dapp) the application needs to be accessed from a terminal or execution context that is outside of the blockchain itself. If we consider the cryptokitties dapp for example, the main idea is to collect virtual cats, the act of purchasing and owning a cat is recorded on the blockchain, and cryptographically signed. Nevertheless every interaction with the blockchain takes place at https://www.cryptokitties.co/ which is the official website of the company that built the dapp. Is this website part of the dapp ? Is it not ? I don’t know.
The simple fact that a dapp resides on a server exposed to the internet network, and that users should connect, and use a private key on this website introduces a whole lot concerns, and vulnerabilities to the all architecture.
Who owns cryptokitties.co ? Probably some domain registrar, what happens if the company forgets to renew the domain and someone buys it ? what happens if the company looses the right to own this domain ?
Who controls the server on which cryptokitties.co runs ? Probably the dapper labs company of course. What if they got SSH hacked ? Or taken down by a DDOS attack ?
Who issued the SSL certificate used by this domain ? Can the issuer get hacked like Diginotar in 2011 ? Can the issuer be trusted ? For few hundreds dollars worth of daily trading probably, for few thousands probably, for a daily trading volume of a few millions or billions ?
Of course the physical network is to be considered also, and this is not trivial. In some countries, you may have just one internet service provider who is free to tweak its DNS servers and to issue proxied SSL certificates, or simply redirect to a phishing website.
In any of these cases, the dapp is or corrupted, or completely offline and inaccessible. If it is offline, then users wont be able to access it, thankfully they will not enter their private key. If it is under a pishing attack, and the gods of the internet know there are dozens of way to perform pishing attacks (DNS cache poisoning, issuing fraudulent fake SSL certificates for example). Users unaware of the danger (sometime even not noticing that the SSL lock near the address bar is opened and red) will likely send personal data, and of course their private key to the hacker.
Today’s dapps are not decentralized, here’s why
If you consider the front end to be part of the dapp, and if your dapp is only usable through internet or some private application store, then it is not decentralized.
The word decentralized is sort of a magical word that is used too much in the blockchain space, often people think that decentralized means secured, it is wrong. Every application that is labelled as dapp is probably partially decentralized because the data, and maybe some business logic live on a public blockchain or smart-contract platform, but it does not mean at all that it won’t be hacked, because there are dozens of layers/steps to consider from the user turning his laptop on, to the user issuing a signed transaction that will be recorded on the blockchain.
Today, most dapps are distributed through a website, or through a centralized platform like the app store or google play store. They are in many ways as centralized as a legacy web services like bank websites or an e-commerce platform. By being centralized, a dapp becomes naturally less secured. From a user perspective, since a user has to access a dapp through url on his browser, or through a mobile application, he is exposed exactly the same way any user accessing any legacy centralized service is exposed.
Today, the distribution of dapps rely exactly on the same paradigm, and mechanisms that those of legacy web applications.
Dappy is a program which goals are to tackle these issues. When a developer or dapp administrator deploys and distributes a dapp with Dappy, he has less to consider or think about. Part of the trustlessness and persistence of the blockchain platform is naturally inherited by every dapp, because there is no client-server communications anymore, but only client-distributed ledger.
We provide free assistance for companies that wish to try dappy, you can reach out to us by email contact[at]fabco.tech or through the dappy.tech/hello form.