MixFetch — like the Fetch API, but via the mixnet

Web app builders can privacy enhance their apps easily with this simple drop-in replacement for Fetch

Author: Nym

October 2, 20234 mins read

Web app builders can privacy enhance their apps easily with this simple drop-in replacement for Fetch

The Fetch API is the standard, easy-to-use JavaScript interface for builders to pull information from the web. But like almost all interactions online, using this API leaks metadata, meaning traffic to and from the API is traceable, and therefore vulnerable to pattern analysis. To solve this, developers can now run the Fetch API through the Nym mixnet with mixFetch, giving cover to network traffic when retrieving resources from websites or online services.

WTF is mixFetch?

Think of mixFetch as a drop-in replacement to the Fetch API, but with one difference: traffic patterns that would ordinarily be exposed are now protected by the mixnet.

Languages: Française // Español // Русский // Bahasa Indonesia // Türkçe // 日本 // Português // 中文

With mixFetch, developers can create privacy-enhanced apps that retrieve resources from the web, leaving no trace whatsoever. For example, mixFetch could be used to create a simple JavaScript chat application with guaranteed anonymity via the mixnet.

What does it mean to ‘fetch’ via the mixnet?

Here’s what happens when any kind of message, transaction or request is sent via the Nym mixnet: first, it is wrapped into identically looking encrypted ‘packets’ and shuffles these in with dummy packets. These are then sent through three ‘hops’ to mix nodes all over the world, effectively making it impossible to trace patterns of communication.

These packets are then decrypted and reassembled at the receiving end, protecting IP addresses, metadata and thereby any patterns of communication that can be used to deanonymise people or learn about services.

When a packet emerges on the other side, it is routed via a Nym ‘Network Requester’ that engages with services on the user’s behalf, a little like a proxy.

With mixFetch, developers can plug and play this infrastructure into web apps, ensuring there is no direct link between the mixnet user and the web service they are using.

How to privacy-enhance web apps with mixFetch

Writing code with mixFetch is simple.

Start by installing mixFetch:

npm install @nymproject/mix-fetch

Next, paste the following into your code, swapping out the examples for the API you need.

import { mixFetch } from '@nymproject/mix-fetch';

// HTTP GET
const response = await mixFetch('https://nymtech.net');
const html = await response.text();

// HTTP POST
const apiResponse = await mixFetch('https://api.example.com', {
method: 'POST',
body: JSON.stringify({ foo: 'bar' }),
headers: { [`Content-Type\`]: 'application/json', Authorization: `Bearer ${AUTH_TOKEN}` }});

That’s it! Now you’ve privacy-enhanced Fetch with mixFetch.

Wow, that’s pretty easy. What’s the catch?

There are currently some limitations. At present, only a handful of web services are enabled for Nym mixnet Network Requesters. Until these have been opened up, mixFetch will only work with services on this list. Hop into the dev chat on Discord or Matrix to request a service to be added to the list!

One possible solution to expand the use of mixFetch is for Network Requesters to run via open proxy, which would enable contacting more services without their permission. The user could then theoretically pull any information from any website or service.

However, this poses another set of challenges, because open proxies can be abused by malicious actors.

A potential solution to this problem is to run a model similar to Tor Null for Tor Exit Node operators. This is essentially a deny list that bans traffic to and from known problematic addresses. Alternatively, a whitelist could be introduced, only allowing traffic to and from guaranteed safe web addresses.

Nym core is currently engaging with operators to find the best possible solution to enable mixnet usage for the widest possible range of services.

In the meantime: there are two options for developers who wish to access a service that’s not currently on the allow list.

Run your own Network Requester and configure it to allow the hosts you need to connect to
Get in touch with Nym core via Github, Matrix (Element) or Discord about the sites you would like to see included in the standard allow list

MixFetch is available right now — try it!

Developers: try to use mixFetch to build a privacy-enhanced web app that runs over the mixnet, and please do send feedback via the Nym community channels below.