Email or username:

Password:

Forgot your password?
Jonty Wareing

It turns out you can simply serve a file from a domain to use it as your bsky handle.

So this guy is now S3. All of S3.

A screenshot of a bluesky post by user "s3.amazonaws.com" saying "Hello it's me your good friend Amazon S3"
93 comments
Jae Bloom

@jonty LMAO!!!!!! That is actually brilliant!!!! 🤣

Jesse Karmani

@jonty this is fiiiine. bluesky is filled with very smart people and therefore they don’t need to participate in open standard groups before they just invent their own!

Thomas 🔭🕹️

@jesseplusplus @jonty this is why they’re doing a closed beta, to find and fix these issues.

do you think Mastodon etc never had bugs, even bad ones?

Nora, tech aspect

@thomasfuchs @jesseplusplus @jonty given that their big selling point is distributed identity I think it's fair to make jokes about complete failures in that department yeah

Oro "it's flatpak time" 🏳️‍🌈

@thomasfuchs @jesseplusplus @jonty Mastodon is open source and is based on open standards that much of the already existing web uses. Bluesky throws all of that out the window for a subpar experience and limited user freedom (I haven't seen their source code anywhere for their clients).

Mastodon here has the backing of the full FOSS community, and then some. Bluesky doesn't.

flere-imsaho

@thomasfuchs closed beta (but with fascists).

though i guess they need fascists to test their content tagging. wonder how they test their bestiality tags.

@jesseplusplus @jonty

Simon Frankau

@thomasfuchs It's a funny bug. I'm not one for cheap dunks on devs, but this was clearly a security issue with solid prior art (imagine if Let's Encrypt let me claim S3!), so I'm a little ok with a bit of dunking.

Tom Walker

@thomasfuchs @jesseplusplus @jonty It's not just a "bug", it's a failure of their entire identity model that shows how badly they failed to think it through. There's no fix for this without a manual list or a total rethink.

DELETED

@thomasfuchs @jesseplusplus @jonty "bugs" is one thing, "failure to do a basic bibliographic search when discovering a design for a much better wheel" is another.

#Digital ⚓️ #Vagabond 🦈

@jesseplusplus @jonty W3C's AP GitHub has 889 stars... 77 followers and 68 forks...

eri :vlpn_smol:
@jonty can someone register discord's cdn lol
@reiver ⊼ (Charles) :batman:

@jonty

What file do you serve from a domain to take it over on BlueSky?

(I'm only used to the DNS TXT "did=" technique.)

Andrew Drake

@reiver @jonty I think all you have to do to get that to work is make a S3 bucket called "xrpc" and make it publicly readable.

This kind of thing is one of the reasons other domain ownership verification protocols (e.g. ACME) use the /.well-known path prefix 😛

who the hell is duc? :enbyfied: :verifiedcat:

@jonty@chaos.social wait i thought people were putting in domains as a kind of style lol
what's the point if it's on a single server atm

DELETED

@jonty you can’t do this on mastodon (via webfinger) because of the specific URI path used (you can’t create an S3 bucket named “.well-known”). You could probably pull it off with other hosts, though.

Validating handles with an HTTP GET instead of a DNS TXT is definitely easier to scale, but fun stuff like this is possible. 😏

Brad

@carter @jonty Does DNS TXT have the same problem? If you can register a subdomain _atproto.example.com and create a TXT record for it, could you impersonate the parent domain example.com?

DELETED

@bk1e sure, but if you have write access to the authoritative DNS records, you already have the keys to the kingdom. Whereas you can convince a hosting provider to serve a file at a given path pretty easily, it’s part of the product.

Brad

@carter Dynamic DNS providers allow customers to register hosts on their domains, and some might support TXT records. However, registering a host named _atproto is probably not allowed because the leading underscore makes it an invalid hostname.

DELETED

@bk1e not sure why TXT would be supported, but yeah I’m sure some impl out there allows it + doesn’t have that validation in place. Good stuff 😛

David Cook

@jonty if only there were a well-known way to avoid these problems

Defiance!

@jonty Moving fast and breaking things! 🤡

Nafnlaus 🇮🇸 🇺🇦

@Defiance @jonty If there's any site that has no right to talk about "things not being broken", it's Mastodon.

Jeremy Kitchen

@jonty @kf this reminds me a bit of default.aspx on F site.

Anders Moumoulidis

@andymoose @jonty a true 10x would have put in the work for a bucket related image as well.

Dmitri | 🇺🇦

@jonty Ahahahah ok so over on the did:web spec, there are people arguing that you shouldn't be able to serve DID documents off of sub-directories, top domain only! I'm gonna show them this screenshot! :)

Uninventive

@jonty Great! Now inject a file on Twitter.com and become Elon! No one will know!

Paul_IPv6

@jonty

hang on. your old buddy dropbox is going to be joining any minute now. ;)

ch0ccyra1n :she_her::neocat_floof_cute:

@jonty
I kinda want a fediverse instance running on an S3 bucket now :blobcatgoogly2:

Lotus

@jonty what could possibly go wrong 🤷‍♀️

AT-AT Assault :verifiedtrans:

@jonty

Can you ELI5 for those of us not educated in what I think is networking protocol?

Shallow Water

@jonty

An example of why you do not deploy beta software in a hurry.

"If you want it bad, you will get it bad."

Nafnlaus 🇮🇸 🇺🇦

@ShallowWater @jonty "... they post on Mastodon, a social network famous for not having any bugs." :eyeroll:

Shallow Water

@nafnlaus @jonty

Mastodon has been in service for years, and in my six months here, I have noticed a few warts, but no real bugs.

Nafnlaus 🇮🇸 🇺🇦

@ShallowWater @jonty You're kidding, right? Threads that don't show their history? Mastodon links that take you offsite? Broken search, if available at all, so your past posts basically go down the memory hole? Inability to migrate your posts? Unclosable hashtag-typing popups that insist on a surplus space after the hashtag? Images and videos getting mangled to terrible quality but in a way that sometimes even *increases* their size? It's endless.

Shallow Water

@nafnlaus @jonty

You compare those to using a whole domain as your handle?

I am amazed at what Mastodon is with a $300K/year budget.

I suspect most of the things you list are in fix requests, and they will get to it when they can.

But jamming hastily made beta software out the door is crazy. Bluesky, post.social, and every other twitter wannabe trying to get rich quick.

I still don't run into much trouble here. Certainly no BSOD.

Nafnlaus 🇮🇸 🇺🇦

@ShallowWater @jonty Yeah, I'd MUCH prefer someone temporarily finding a way to get a gag handle (until they patch it) than years and years on end of major usability bugs unpatched. Thanks.

If there's any "hastily made beta software", it's Mastodon, only it's stayed in this state for years on end.

And as for "BSOD", I've had *plenty* of Mastodon server downtimes and other issues come up. None at Bluesky.

Shallow Water

@nafnlaus @jonty

If Mastodon were just hastily made beta software, it would have died. The things you listed look like warts to me.

Nafnlaus 🇮🇸 🇺🇦

@ShallowWater @jonty Hey, guess what? A huge number of people came here fleeing Twitter, made accounts, and got so frustrated and left. The vast majority, actually. It's visible in the account creation vs. active users numbers. It's visible in my own experience with friends. And guess what? Those people are now going to Bluesky instead.

Shallow Water

@nafnlaus @jonty

Good. I wish them well on bluesky.

But it was pretty stinky when Taylor Lorenz showed up here and started demanding immediate changes "or the journalists will leave."

It never occured to her that she was being treated to the kindness of strangers, who built Mastodon on a shoestring, and gave it to her for free -- no $8 blue check subscription service charge.

Mensch Meier :anarchismred: replied to Shallow

@ShallowWater
That's good news I guess! Sry for not knowing but I'm not too deep into the whole Bluesky shabang yet.
@nafnlaus @jonty

Julian Lam

@jonty all the more reason for a camo proxy! Yeesh ...

Colin

@jonty @aurorapenguin serve a file? All I saw is that you need to add a DNS record for the domain in question.

It’s such a stupid “feature” though. Makes it look like it’s a self-hosted instance, nopeeeee.

Oblomov

@jonty I wonder what happens if two accounts do the same

Elijah

@jonty @atatassault

ok so I looked into this:

to change your handle in bluesky you need to call the updateHandle function which passes through some things. first it validates if the handle is valid (which does not validate punycode 💀)

assuming you have a handle like s3.amazonaws.com, that's not one of the "supported domains" in bsky.social's pds (instance) so it has to go through an extra function called resolveExternalHandle. it will first check if it has a txt record with did={did} where..

Elijah

@jonty @atatassault
did is a user id. if it fails, then "no worries it's just not found". then it calls the xrpc for what the did should be

so if you look at s3.amazonaws.com, the xrpc would be s3.amazonaws.com/xrpc/com.atpr. which funny enough returns a did that's equal to Chaz Schlarp's

so this isn't possible unless you can create /xrpc/com.atproto.identity.resolveHandle, so no cdn.discordapp.net or gist.github.com. still, really funny

@jonty @atatassault
did is a user id. if it fails, then "no worries it's just not found". then it calls the xrpc for what the did should be

so if you look at s3.amazonaws.com, the xrpc would be s3.amazonaws.com/xrpc/com.atpr. which funny enough returns a did that's equal to Chaz Schlarp's

Elijah

@jonty @atatassault

you don't need to have a pds running to verify your domain, but it's a failsafe in case the dns doesn't work

what I am currently looking into is how to fix this lol, it's obviously intentional but I can't seem to see why and obviously if you can control what the domain is then you can impersonate the domain itself. which makes me wonder if other object storages are at risk

Fladdle

@jonty This looks great! I have no idea what it means.

Osma A

@jonty Absolutely beautiful! They design the verification to work on DNS, but then create a fallback that does NOT use DNS - yet validates domains.
WebFinger as it is used here isn't much better, but its saving grace is that it validates name@example.domain profiles, not naked domains.

DELETED

@jonty I don't think that's true. I don't know about the image, but I read their blog, and I remember they also required access to the DNS management settings.

Jan

@jonty Overpromise and underdeliver.

Kid Codes

@jonty Dis is funny, makin' things look broken, like a compootah prank! 🤖🤪 It's like puttin' googly eyes on my toys n gigglin' when they look all silly n wonky! 😄💻 #KidCodes #CompootahPranks

CauseOfBSOD :fediverse:

@jonty@chaos.social this should have definitely been a TXT record in the DNS rather than a file on a website

(or force the file to be in .well-known I guess, like Lets Encrypt does)

Go Up