Follow

Prismo is working again! Sign-ups are opened.

Sadly, we needed to change the domain name to prismo.xyz so update your bookmarks and bookmarklets!

prismo.xyz/posts/bb439a88-3430

@prismo
Yay !
Could you explain why the domain had so change ? Is it an AP problem ?
It could be bad if you take the domain of an old AP instance and create your on it. Even more if you are unaware it's an old instance name.

@Zykino @prismo it should be possible to reuse domain names. the only issue is invalidating caches of other softwares. software like mastodon should be able to detect when an instance has changed. if it can't, that's a bug

@trwnh @Zykino there is also other issue - account hijacking. Anyone could potentialy create an account on New instance with the same username as someone already had on the Old instance and the Old account would be "hijacked" by the New one. Thats the reason we changed the domain.

@prismo @Zykino you've just described why cache invalidation is important. you can't assume that two profiles being served over the same location are the same at all points in time.

in practical terms, the actor's keypair would change, at least.

@trwnh @Zykino so what youre saying is that domain change was not neccesarry as, say, mastodon instances would refetch known prismo accounts after cache TTL?

@prismo @Zykino I'm saying that not changing the domain would have been a very good bug test of Mastodon's logic for invalidating cache.

In reality, I'm not sure it would be painless. Mastodon makes a lot of wrong assumptions about account identity.

But in practice, I think mastodon.rocks accidentally deleted their database once without backups, and they came back on the same domain. Not sure if there were any collisions though.

@trwnh
Didn't thought of that. I hope Activity Pub did think about it !

But I'm not sure how account hijacking is different than someone creating a Zykino account on an other instance.

Do he instantly get the follows of the old account ?
@prismo

@Zykino @prismo ActivityPub can certainly handle it, yes. It's like asking if the Web can handle changing URLs.

Follows should not be transferred, because the account should have a different public/private key. But Mastodon uses "user@domain" for internal lookup instead of unique location-independent id. So the new account won't hijack the old account, but also it might fail delivery because "account already exists". This happened when krita changed only their username to Krita.

@Zykino @prismo At the time, the fix Mastodon chose was not to assign new ID, but instead to make usernames case-insensitive.

@trwnh
The web does not prevent hijacking well:
If example.com had an RSS feed and cease to be registered.

I can register it, place my RSS flux in the same place and… every old subscriber will recive my news !

And there is the good old exanple.com with intentionnal common typo.
@prismo

@Zykino @prismo that's because rss does nothing but check periodically for updates. no authentication, no validation. an activitypub Follow is meaningless until handled by software, so to hijack an old account you'd have to not only have the same name, but you'd have to start delivering to the same servers/people. and even if you can reconstruct the address book and followers collection somehow, the servers can reject your message for having a different public key, or for failing signature.

@Zykino @prismo basically the difference between pull vs push. if you lose the subscriber list then you don't know where to send the messages. the former subscribers won't check for new content on their own.

@prismo totally sucks this happened. But it a good story to be told. Your transparency is to be commended. So let’s get busy and start rebuilding this thing as a community! #fuckreddit
@prismo just a quick comm. So I recently did the same moving providers. Sure as shit, everything done to the most detail but.....the f’n backup. Dude through your pain you helped others. My shit is fixed now! 👍 In a rush sometimes we all forget the basics. Good reminder to step back and take a breath.
Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!