Censorship / availability is the issue. As you lay out, Sybils can be used to target a specific address / piece of content in an attempt to prevent it from being found. The good news is that there are some pretty mechanical things - like maintaining a consensus of known-trusted nodes that can be used to validate a node/piece of content isn't under attack - that should be sufficient until IFPS is quite a bit larger than it is today
I don't think I see the impersonation / bad resolution problem though. IPNS records are content addressed to the key. Having control of a portion of the network isn't sufficient to compromise that (you can prevent availability though).
> The good news is that there are some pretty mechanical things - like maintaining a consensus of known-trusted nodes that can be used to validate a node/piece of content isn't under attack - that should be sufficient until IFPS is quite a bit larger than it is today
What would I be trusting the nodes for? If I'm trusting them to just keep my data available, then why not just put it into S3? What role is IPFS playing at all, then, if I find myself having to pick trusted nodes to defend against low-cost route-censorship attacks?
Also, the size of the network doesn't really seem to make large DHTs resilient to Sybils. BitTorrent in 2010 had over 2 million peers [1], but north of 300,000 of them were Sybils [2]. That's pretty bad.
> I don't think I see the impersonation / bad resolution problem though. IPNS records are content addressed to the key. Having control of a portion of the network isn't sufficient to compromise that (you can prevent availability though).
Correct me if I'm wrong, but IPNS resolves a human-readable name to a content hash, right? If all I'm going off of is the name and the DHT (no DNS), then having a network that can return two (or more!) different content addresses for that name can lead to problems for users, no? If IPNS/IPFS is supposed to be a hypermedia protocol bent on replacing HTTP/DNS, then its inability to handle the case where `google.com` can resolve to either the legitimate Google or a phishing website sounds like a showstopping design flaw that just begging to be abused.
IPNS names are based on public keys. A sybil attack can't make an IPNS name resolve to an arbitrary attacker-chosen value because the attacker can't make signatures for the public key.
A sybil attack could be used to cause part of the network to see a recent old value for an IPNS name, but clients keeping recent values cached for a while is already something that happens naturally, so it just seems like a more minor example of the general problem that a sybil attack could do a denial-of-service.
I don't think I see the impersonation / bad resolution problem though. IPNS records are content addressed to the key. Having control of a portion of the network isn't sufficient to compromise that (you can prevent availability though).