if I can get an email at [someurl].com and have it backed by gmail behind the scenes. What is the feasibility to having something like that work out to redirect vanity URLs to mastodon instances behind the scenes?
@WilliamShatner brought it up and I think it's a valid question:
https://twitter.com/WilliamShatner/status/849818460850749441
William Shatner nailed major concerns. I think are worth echoing & considering.
"Don't you think that creating a node where folks can sign up opens an issue of security with passwords and such?"
- I am also concerned about this. Important consideration when spreading.
"So if there was a whiz.bang server then Joe Smith could go and sign up as @williamshatner@whiz.bang?"
"That makes the entire service worthless to anyone with a brand. That's a bit of an oversight."
- Good :smiling_imp: ?
In all seriousness, I'd really like to start a discussion on how to mitigate bad actors.
Not complaining about the current system, but I think a cultural level appreciation for the risks and people working together to help protect each other from them seems like a positive thing.
The whole URL issue is probably best solved by continuing to work toward easier setups (docker etc?) for the time being.
But Sybil attacks and evilmaidesque federated nodes seem worth considering.
Birdsite's verification system was essentially a facet of them being a centralized authority, that obviously doesn't really work on a federated decentralized system.
I've researched Sybil attacks myself in the past, but never made any headway finding out how one might instill a cultural immunity.
Maybe it's the infosec in me, but I don't trust a single instance, not even this one?
I could come up with 50 million technical ways to do it (blockchains, lol), but with so many new users migrating over so quickly, it would be more effective to discuss ideas about safety.
My own stab at explaining federating was a bit rushed: https://medium.com/scat-sense/playing-with-hairy-elephants-ce338a2e41e3
I know others aren't as paranoid.
https://mastodon.social/media/WSIMOGfvSSrU8lx7A3o
@ultimape would you trust Twitter??
@Efi no, but at least they had monetary incentives aligned with not fuxing it up. I think they originally implemented it after being sued. hah
@ultimape tbh, I trust the opensource community over monetary pressures, but I'm just a kitten, not an infosec expert =3
@Efi Well yeah, I trust the code and think this is a much better system. But at the same time we're just directing people to a list of instances and I find that highly sketchy. The community writing the code =/= the community running the servers.
I'm thinking of all the people moving over blindly who don't realize how all this works - how can we foster something that will help teach them?
@ultimape ah, I see what you mean
well, I think trust online should never be a thing you do, if that makes sense
like, I'd never post my bank account details anywhere online that is not a shop, and then, with precautions, so I think it's more an issue of general literacy than specific about federated systems, but I see your concerns
@Efi I like the literacy framing. I guess in tha metaphor, one could say that people are literate in the way twitter runs - which is like a walled community. And this is more like the fronitier?
I'll have to play with this in my head, sounds promising :)
@ultimape we are colonists on uncharted infosec territory nwn
@ultimape read through your medium post; agree with it as well.
what do you think if the best way for users to protect themselves when using mastodon? (and just because you spin up your own server, why should we trust you?)
@3stan it's going to be a 1 person server ;p
@ultimape would setting up .onion access for it be worthwhile?
@ultimape One thing to consider on self hosting, are people competent enough to keep the backend through to the front end secure? Are they able to comprehend virtualisation, containerisation and network isolation? Though some of that can be handled with a VPS.
@ultimape Keeping track of Open vSwitch connections to, from and between VM's can really do my head in at times.
@ultimape I feel like if you are concerned over your brand you would have to run a solo instance of your own and that would be part of your identification. Not a great solution but at least everyone would view you consistently.