I realize that this is a server-side option now, however. Still, it's a crappy deal. A decently-sized deployment of public cloud boxes to support your private CDN is going to cost far, far more than an actual CDN. Public cloud bandwidth is obscenely priced compared to what you can get it for on the CDN market.
>"Public cloud bandwidth is obscenely priced compared to what you can get it for on the CDN market"
Amen to that! I think where this comes in to play is when you've already got colo space and excess capacity (e.g. eBay etc) and/or you'd like to leverage other edge pop's outside of your provider (e.g. mainland China). But it also adds some level or protection against correlated backbone issues if you can add p2p edges along other providers (similar to Netflix's design). When we looked at the correlation across existing CDN providers we found it was ~95%.
Video streaming specifically is _especially_ bandwidth intensive and will definitely cause issues in corporate LANs. It's one of the reasons we add ASN categorized black listing (e.g. residential vs. hosting vs. corporate etc)
Why should I host and seed your data for free?
Abuse is one thing, but this isn't categorically bad. Plus, it's really cool!
Perhaps, but expecting that visiting a website implies that my computer is not transparently inserted into another companies CDN distribution scheme is not..
ClientRecieve & Render
When a user visit's an edgemesh enabled site their browser begins to execute the client side Smart Mesh™ accelerator. This code uses our patent pending distribution method to transparently and seamlessly join the edgemesh overlay network. While the your web page assets are requested, the client side code analyzes the response time from your servers to the browser and will optimally decide when to request assets (images, videos, etc.) from the mesh network vs. fetching the assets from your server as normal. If the client obtains the assets from your servers, it alerts the Hub process to store these new assets on the mesh. Best of all, this dynamic crawling of your webpage means no more management of cache settings, even on dynamic content.
Smart Mesh™ ensures your users always have the most recent copies of the most requested assets, automagically.
HubMesh & Store
For example, if your users are viewing https://example.com the Hub process allows their browser to request cached assets from other active edgemesh users - even those currently viewing other sites! The Hub intelligently replicates the edge caches across geographies and networks, and in most cases ensures your visitors have a local copy of your content before they even know they need it. Best of all, the Hub ensures that your site joins the millions of other mesh enabled users - allowing you to tap into the colocated acceleration of peers across the entire community.
Not quite sure how this isn't that much different than a JS based Bot client / trojan horse TBH, although the traffic isn't officially "malicious", but rather part of some 'innovative and disruptive new startup tech'..
I will look forward to see this go the way of the Bonzi Buddy and Clippy.
Maybe implement some kind of blockchain solution so that I get paid for the data I seed? (/s)
Anyone know of a good way to detect sites that are rude enough to abuse my network connection for their own gain?
How that? What makes you think that is even possible?
3. Restrictions on Use. The Service is a consumer grade service and is not designed for or intended to be used for any commercial purpose. Except as otherwise set forth in this Agreement, you may not resell, re-provision or rent the Service, (either for a fee or without charge) or allow third parties to use the Service via wired, wireless or other means. For example, you may not provide Internet access to third parties through a wired or wireless connection or use the Service to facilitate public Internet access (such as through a Wi-Fi hotspot), use it for high volume purposes, or engage in similar activities that constitute such use (commercial or non-commercial). If you subscribe to a Broadband Service, you may connect multiple computers/devices within a single home to your modem and/or router to access the Service through a single Verizon-issued IP address, and if available through the Service, you may permit guests to access the Internet through your Service’s Wi-Fi capabilities. You also may not exceed the bandwidth usage limitations that Verizon may establish from time to time for the Service, or use the Service to host any type of server. Violation of this Section may result in bandwidth restrictions on your Service or suspension or termination of your Service.
 Xbox One | https://www.nanog.org/sites/default/files/wed.general.palmer...
 Spotify | https://community.spotify.com/t5/Desktop-Linux-Windows-Web-P...
All of those have the majority of their subscribers paying extra fees once they cross an invisible usage line, AKA a "data cap".
You're using visitor's upload bandwidth and you see not notifying them as a feature? I'm not sure I can see the justification for that.
https://sig.edgeno.de/edgemesh.client.min.js is being added to my uBlock list.
Sorry Edgemesh team, but this kind of activity without user opt-in is not okay.
I think it's a little skeevy to have it be completely silent. That doesn't mean it has to be super loud though.
Thanks for all the feedback HN community!
Plus its just a killer product made by killer devs, pretty sure Spotify does P2P cache-sharing too btw.
Browsers should have an option to follow one of four behaviors: a) allow all P2P connections, b) always ask, c) allow a low-volume (say, <32kbps) P2P traffic, but throttle and ask if the rate tries to go beyond the safe threshold and d) deny all P2P connections. With b) or c) being a sane default, and a JS API to check permissions programmatically.
While this doesn't solve the problem right now (and would probably take a long while to happen), as a long-term solution, I think that would be the best way for everyone, providers and consumers.
I just think if you'll raise an issue with the mainstream vendors (Mozilla, Google, Opera, Vivaldi) you (as a company) this idea may have slightly better chances to be heard than just some random end-user suggestions.
If this idea fits your vision, of course.
As a short term, I guess maybe you can implement some proprietary API and suggest your users (webmasters) to show a confirmation panel that fits their site look-and-feel. With some readily-available sample implementation that they can just use if they don't want to spend time at all (besides adding a line of code).
Also with regards to detecting metering client side you're 100% correct - you can't reliably do it in any way on the client side (although for mobile there are some APIs to detect cellular vs. wifi ). What we do it we have a mapping of ASNs that are flagged as metered. When your client comes online we take the IP, map to the ASN and determine if it is able to upload. We buy this data today and you can always drop an email to email@example.com with your IP and we will add it in.
thats crazy talk rigth there. there are so many variations that all happen completely outside of the browser domain and/or the connection destination.
Connections start metered and are then upgraded when an unmetered connection is successfully detected.
The DOS possibilities are endless and the MD5 + layered approach already has chinks in the armor. Come on. You filter every participant through some ddos filter provider you don't own, filter good content from bad based on some persistent hash database state and take a look at the content you are introducing in some heuristic (probably comparative) profile.
Garbage, move along.
Most cloud bandwidth is crazy overpriced since in the datacenter you typically pay for peak bandwidth, not bytes. You can see this with cloud providers like digital ocean where you can essentially buy 1TB for the cost of running a $5/mo instance. You can build a poor mans CDN using these types of services and geo DNS that saves you a ton of coin.
I have existing infrastructure and unused bandwidth. What are my choices for easy deploy?
Are my supernodes used for any other site / are my users' browsers used for any other site than mine?
With regards the first point we should detect it (based on you ASN, if you are on 3g modems they won't be able to upload). E.g. even though your laptop/tablet is on 'Wifi' your actual IP that comes to the backplane will be from your network block (the cellular address block) and so your client will be automatically removed from the available upload pool (although you can still download). Feel free to PM me directly if you've more questions
Am I missing something, or would this let any node (supernode/browser) in the system potentially replace arbitrary content with their own content? 
Hopefully JS isn't being served by this mechanism (attack vector pretty obvious there), but even images are still a concern  .
> In 1996, Dobbertin announced a collision of the compression function of MD5 (Dobbertin, 1996). While this was not an attack on the full MD5 hash function, it was close enough for cryptographers to recommend switching to a replacement, such as SHA-1 or RIPEMD-160.
Stop inventing your own crypto protocols, as you clearly have no idea what you're doing in that area (as evidenced by any usage of MD5).
xxHash64 is not a cryptographic hash function. Collisions and pre-images matter here as they allow for subdtitution of content by an adversary.
If I understand you explanation correctly, the receiving party will invalidate the object if the MD5 of the object doesn't match the advertised MD5? That would leave you open to people serving other objects with the same MD5 hash as the original.
Also, my platform can offload all assets including the page itself and enables sites to get free failover during content server downtime. Due to my DNS-seeded PKI, your users stay secure and content continues to be correctly authenticated in your P2P CDN cache even when your site would normally be down.
collision attack != preimage attack (what you're thinking of).
It does seem to me though that if I could coerce/direct the site into accepting one image that I created, I could manage to replicate a second, different file throughout the network. Obviously assuming I computed both images ahead of time and both image formats were unperturbed by the nonsense appended to file by the attack.
I get an edgemesh site to accept file A (perhaps the site allows me to upload a user avatar, upload an image on a forum, etc). I then behave as a node in the mesh, and receive file A. When I get a request to replicate file A to someone else, I send them file A', they check the MD5 hash, and the hash matches. Not seeing how that doesn't work?
It is admittedly a narrow attack, but I think it works.
Check out https://git.io/vps, where I made a comparative listing of different providers.