if I can get an email at [someurl].com and have it backed by gmail behind the scenes. What is the feasibility to having something like that work out to redirect vanity URLs to mastodon instances behind the scenes?
@WilliamShatner brought it up and I think it's a valid question:
https://twitter.com/WilliamShatner/status/849818460850749441
@b_cavello well, behind the scenes you'd just have any mastodon instance you'd want? More curious about the "on behalf of?" effects.
I'd love to redirect @ultimape@wovensoup.com to my current identity.
@ultimape I think that's fine, but by it's nature the current identity (and thus server) would be receiving ALL of those toots. I'm not saying it's not doable, just noting the potential of explosive load/costs on the "mask" server (but I don't really know this technical stuff, so hey!)
@ultimape there's a few things I think you're talking about here. All of which are possible. But which one are we talking about, what are you wanting exactly? @b_cavello
@five @b_cavello
Basically equivalent of an MX record redirect - how you can have email sent to x@someplace and it goes to y@someplace's box?
I wonder if that would work with how this system uses that webfinger thing, or if there was some way to be compatible with that and something else.
kษ:สณ 
@ultimape @WilliamShatner should be possible, just redirect the domain at the same server and make sure that server has an nginx rule for those incoming requests to translate them properly
@ultimape @williamshatner @tacticalmaid We agree. Why does it _HAVE_ to be mastodon.club? Why not mastodon.2printers1cups.com?
It's quite obviously the best.
William Shatner nailed major concerns. I think are worth echoing & considering.
"Don't you think that creating a node where folks can sign up opens an issue of security with passwords and such?"
- I am also concerned about this. Important consideration when spreading.
"So if there was a whiz.bang server then Joe Smith could go and sign up as @williamshatner@whiz.bang?"
"That makes the entire service worthless to anyone with a brand. That's a bit of an oversight."
- Good :smiling_imp: ?
Screw brands @ultimape. Let them stay on Twitter.
@ultimape Verified instances?
@LinuxSocist
I wonder how that would work. Would be intesting to figure out what that would take. Without too much thought, it sounds like it would invovle same painful system behind https verification, or perhaps some type of consultancy?
@ultimape I was thinking of trusted instances which are widely known (Googles, Twitters and Facebooks of the fediverse) that are only open to certain users and can verify their identity's.
@LinuxSocist
how to get there from here? I'll think a bit about this. It does sound like the ideal.
@ultimape I know some skilled users and memebers of the infosec community have started some of their own instances for these reasons.
It's a shame Diaspora didn't take off when it started, this debate would have already happened.
@ultimape As for verification I have been using twitter for example.
https://twitter.com/LinuxSocist/status/849832480349634560
@ultimape And self verification also. https://icosahedron.website/media/BUU2mHIkXi7sRroho_s
@ultimape "brand identity" is kind of associated with capitalism. federation is kinda associated with socialism. not directly but you can get there very quickly
In all seriousness, I'd really like to start a discussion on how to mitigate bad actors.
Not complaining about the current system, but I think a cultural level appreciation for the risks and people working together to help protect each other from them seems like a positive thing.
The whole URL issue is probably best solved by continuing to work toward easier setups (docker etc?) for the time being.
But Sybil attacks and evilmaidesque federated nodes seem worth considering.
@ultimape I feel like if you are concerned over your brand you would have to run a solo instance of your own and that would be part of your identification. Not a great solution but at least everyone would view you consistently.
Birdsite's verification system was essentially a facet of them being a centralized authority, that obviously doesn't really work on a federated decentralized system.
I've researched Sybil attacks myself in the past, but never made any headway finding out how one might instill a cultural immunity.
Maybe it's the infosec in me, but I don't trust a single instance, not even this one?
I could come up with 50 million technical ways to do it (blockchains, lol), but with so many new users migrating over so quickly, it would be more effective to discuss ideas about safety.
My own stab at explaining federating was a bit rushed: https://medium.com/scat-sense/playing-with-hairy-elephants-ce338a2e41e3
I know others aren't as paranoid.
https://mastodon.social/media/WSIMOGfvSSrU8lx7A3o
@ultimape would you trust Twitter??
@Efi no, but at least they had monetary incentives aligned with not fuxing it up. I think they originally implemented it after being sued. hah
@ultimape tbh, I trust the opensource community over monetary pressures, but I'm just a kitten, not an infosec expert =3
@Efi Well yeah, I trust the code and think this is a much better system. But at the same time we're just directing people to a list of instances and I find that highly sketchy. The community writing the code =/= the community running the servers.
I'm thinking of all the people moving over blindly who don't realize how all this works - how can we foster something that will help teach them?
@ultimape ah, I see what you mean
well, I think trust online should never be a thing you do, if that makes sense
like, I'd never post my bank account details anywhere online that is not a shop, and then, with precautions, so I think it's more an issue of general literacy than specific about federated systems, but I see your concerns
@Efi I like the literacy framing. I guess in tha metaphor, one could say that people are literate in the way twitter runs - which is like a walled community. And this is more like the fronitier?
I'll have to play with this in my head, sounds promising :)
@ultimape we are colonists on uncharted infosec territory nwn
@ultimape read through your medium post; agree with it as well.
what do you think if the best way for users to protect themselves when using mastodon? (and just because you spin up your own server, why should we trust you?)
@3stan it's going to be a 1 person server ;p
@ultimape would setting up .onion access for it be worthwhile?
@ultimape One thing to consider on self hosting, are people competent enough to keep the backend through to the front end secure? Are they able to comprehend virtualisation, containerisation and network isolation? Though some of that can be handled with a VPS.
@ultimape Keeping track of Open vSwitch connections to, from and between VM's can really do my head in at times.
@ultimape So it's a race to nail down your name (or brand) in every instance? Is that right?
@PeterAranyi perhaps no more than trying to get "PeterAranyi" at every major email provider.
@ultimape right, I see your point. But intuitively, I would think/expect username at "mastodon" would be kinda global? Still getting my head around federation. I guess.
@ultimape Ha. Yes, some instances will be expressly happy to not have brands. Let's have a sweepstake: How many days until a clever agency promises to keep tabs on all instances and register your brand there for you? :-)
Also: Let's keep Twitter simply as an authentication platform :-P https://twitter.com/dBu_fs/status/849881562611167233
@ultimape @WilliamShatner For email, it's done through MX records. A domain says "this server handles my mail", and there's an agreement between the forwarder and receiver. You can't just /declare/ Gmail as your MX, Google've got to agree as well. That said, various aliasing or forwarding schemes, in DNS, host aliases, forwarders, etc., could work. The underlying protocol /might/ need to be aware of this (I haven't looked at Mastodon / GNU/Social yet).
@dredmorbius Ah yeah, I registered my domain on google's DNS to just make that process easier. But I recall there was a sort of two-way binding technique they implemented back when I was supporting google apps for schools.
It's on my todo list to read thru a ton of the RFCs for email and try to see what mechanism is used to let gmail email on behalf of my ancient hotmail. Something like that would solve a lot of headaches I think.
@dredmorbius @leo
The remote follow seemed useful. would be nice if 'open in web' link was smart enough to redirect you back to your own instance. I've been running up against that myself as well.
@dredmorbius woo that worked really well!
Seems like it would work as a soft redirect perhaps?
@ultimape Indeed, I just tried that here on your toot myself. Odd that this isn't automatic, though I wonder if it's planned to be. @Support ? #bugs #featurerequest #badux.
@dredmorbius @Support There was mention of Open Graph embeddings of links to do this. Not sure if there's a feature request open on the topic yet. Don't know what to search for.
@ultimape While I think this is pretty legit as an option, the ability to sustain it seems to rely on Gmail's massive server capabilities to inbox all of that mail