Christine Lemmer-Webber, Executive Director at the Spritely Institute, and David Thompson, CTO at the Spritely Institute, presented Spritely: Infrastructure for the Future of the Internet at QCon London 2026, where they discussed how Spritely works to decentralize the Internet with new foundational technologies that put users in control.
Lemmer-Webber kicked off the presentation by asking what can go wrong with centralized technology and building distributed systems in the current legislative environment. “How do we build resilient applications?” she asked.
When technology is centralized, life is good until investors look for their return on investment. As a result, services can degrade over time or possibly disappear. Users have no control over changes.
A Legislative Moat are legislative rules that “punish” the centralized players and potentially lock out the smaller players.
Lemmer-Webber maintained that we, as developers, can solve these problems using encryption, federation and local-first software, but this can sometimes feel like an uphill battle.
A Centralized technology is a single source of truth, but is fragile and capturable. A Decentralized technology removes the central server that can yield resilience and user agency, but is more complex.
Concurrency is hard because of deadlocks, shared state and order of messages. Synchronization is hard because of consensus algorithms, eventual consistency and fault tolerance. Infrastructure is hard because of the many tools available for a client/server network, but not for a peer-to-peer network because the industry is focused on the business needs of centralization. Assembling the Pieces is hard because it requires expertise in many domains. As Thompson stated, “too many research papers, not enough time.“
With a peer-to-peer (P2P) network, it’s easy for new developers to start a new web application and offers a convention-over-configuration design philosophy. This led Thompson to ask, “Where is the Rails of P2P?“
Spritely is committed to a decentralized and secure way, by default, to build applications. There are, however, three questions to ask about a decentralized world:
- How do we protect our resources?
- How do processes talk to each other?
- How do we name things?
How Do We Protect Our Resources?
The Principle of Least Authority (POLA) states that an entity should have just enough privilege to perform its tasks, but nothing more. Lemmer-Webber and Thompson discussed how users unwillingly give up some personal information simply by using an on-line game.
Access Control Lists (ACLs) are not a good way to secure resources due to coarse-grained authority and granting privileges requires an administrator, which is a centralized technology. A whitepaper, ACLs Don’t, provides more details.
The Confused Deputy Problem, also known as Ambient Authority, occurs when one entity is tricked by misusing its authority by another entity. This can be prevalent in game applications.
The well-known Cross-Site Request Forgery (CSRF) attack occurs when a user is duped into submitting a malicious request via a form, for example, to a server using their authenticated session. This can be prevented by applying an unguessable token in a form.
A Capability is an unforgeable reference to a resource that combines designation with authorization. “If you don’t have it, you can’t use it,” Thompson said. Properties of capabilities include: fine-grained privileges; granting privileges without an administrator; and the ability to revoke privileges, if necessary.
Lemmer-Webber introduced Goblins as their distributed Capability programming environment.
How Do Processes Talk to Each Other?
Processes communicate via paradigms and protocols, both synchronous and asynchronous.
A Communication Sequential Process (CSP), a channel-based communication protocol popularized by the Go programming language, is easier than lock-based concurrency, but is susceptible to deadlocks.
Actors provide the ability to asynchronously pass messages, are resilient to deadlocks in CSP and can reference Capabilities.
Lemmer-Webber demonstrated how actors can interact in Goblin via the following Schema code.
The Representational State Transfer (REST) protocol, using client/server, is centralized and uses ACLs.
The Remote Procedure Call (RPC) protocol, while offering bidirectional communication, suffers from no or flawed reference passing.
React2Shell, also known as CVE-2025-55182, a remote code execution vulnerability in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, allows an attacker with pre-authorization to unsafely deserialize payloads from HTTP requests to Server Function endpoints. Packages affected by this CVE include react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack. A proof-of-concept on this CVE, created by Lachlan Davidson, Security Innovation Lead at Carapace, may be found in this GitHub repository.
Lemmer-Webber and Thompson maintained that networks of mutual suspicion require Capability protocols.
The Object Capability Network (OCapN), a secure networking protocol based on Capabilities and Promises, is transport agnostic and supports distributed computing. There are implementations available with JavaScript, Scheme and Dart.
How Do We Name Things?
Lemmer-Webber and Thompson discussed guarding against phishing schemes where a URL leading to a nefarious website may look normal, but letters and numbers may have been substituted. An example of this is paypa1.com vs. paypal.com.
Zooko’s Triangle, named after Zooko Wilcox-O’Hearn, is “a conjecture for any system for giving names to participants in a network protocol” for which no single name can achieve more than two of these properties.
A Domain Name, for example qconlondon.com, is human-meaningful and secure, but not decentralized. On the other hand, a Tor Onion Address, a 56-character alphanumeric string, is decentralized and secure, but not human-readable. An example of this is 2gzyxa5...en53wid.onion.
Lemmer-Webber and Thompson proposed a solution: Petnames, a technique that maps human-readable names to secure, decentralized names.
Proposed Names are self-given names that are rendered differently from Petnames, but suffer from possible name collisions and are not globally unique.
Edge Names are pointers to other namespaces. For example, a Domain Name Service may be considered an Edge Name.
Putting It All Together
In general: Capabilities should be used for access control; Actors should be used for communication; and Petnames should be used for naming.
Web deployment is critical for getting these resources out to the general public. Everyone has a browser and major platforms tend to either disappear or get locked down.
Lemmer-Webber and Thompson introduced Hoot, the Spritely WebAssembly (Wasm) compiler and self-contained toolchain that: supports the Wasm 3.0 specification; translates Scheme to Wasm; and supports all major browsers and NodeJS.
Lemmer-Webber and Thompson concluded by saying that the Internet was a public works project and a legislative environment is important for the survival of democracy.
