Gregory's ServerIt turns out you can simply serve a file from a domain to use it as your bsky handle.
So this guy is now S3. All of S3.
 93 comments
 @jonty this is fiiiine. bluesky is filled with very smart people and therefore they don’t need to participate in open standard groups before they just invent their own!  @jesseplusplus @jonty this is why they’re doing a closed beta, to find and fix these issues. do you think Mastodon etc never had bugs, even bad ones?  @thomasfuchs @jesseplusplus @jonty given that their big selling point is distributed identity I think it's fair to make jokes about complete failures in that department yeah @thomasfuchs @jesseplusplus @jonty Mastodon is open source and is based on open standards that much of the already existing web uses. Bluesky throws all of that out the window for a subpar experience and limited user freedom (I haven't seen their source code anywhere for their clients). Mastodon here has the backing of the full FOSS community, and then some. Bluesky doesn't.  @thomasfuchs closed beta (but with fascists). though i guess they need fascists to test their content tagging. wonder how they test their bestiality tags.  @thomasfuchs It's a funny bug. I'm not one for cheap dunks on devs, but this was clearly a security issue with solid prior art (imagine if Let's Encrypt let me claim S3!), so I'm a little ok with a bit of dunking.  @thomasfuchs @jesseplusplus @jonty It's not just a "bug", it's a failure of their entire identity model that shows how badly they failed to think it through. There's no fix for this without a manual list or a total rethink.  @tomw @thomasfuchs @jesseplusplus @jonty manual list is impossible, so rethink it is! @thomasfuchs @jesseplusplus @jonty "bugs" is one thing, "failure to do a basic bibliographic search when discovering a design for a much better wheel" is another. @jesseplusplus @jonty W3C's AP GitHub has 889 stars... 77 followers and 68 forks...   What file do you serve from a domain to take it over on BlueSky? (I'm only used to the DNS TXT "did=" technique.) Ok, he made: https://s3.amazonaws.com/xrpc/com.atproto.identity.resolveHandle Return: {"did":"did:plc:imkvi5glxfcpaqcinktnbpwt"} .   @jonty@chaos.social wait i thought people were putting in domains as a kind of style lol  @jonty you can’t do this on mastodon (via webfinger) because of the specific URI path used (you can’t create an S3 bucket named “.well-known”). You could probably pull it off with other hosts, though. Validating handles with an HTTP GET instead of a DNS TXT is definitely easier to scale, but fun stuff like this is possible. 😏     @andymoose @jonty a true 10x would have put in the work for a bucket related image as well.  @jonty Ahahahah ok so over on the did:web spec, there are people arguing that you shouldn't be able to serve DID documents off of sub-directories, top domain only! I'm gonna show them this screenshot! :)   @jonty @ch0ccyra1n @jonty this is actually kinda possible! https://github.com/rothgar/static-mastodon   Can you ELI5 for those of us not educated in what I think is networking protocol? An example of why you do not deploy beta software in a hurry. "If you want it bad, you will get it bad." @ShallowWater @jonty "... they post on Mastodon, a social network famous for not having any bugs." :eyeroll: Mastodon has been in service for years, and in my six months here, I have noticed a few warts, but no real bugs. @ShallowWater @jonty You're kidding, right? Threads that don't show their history? Mastodon links that take you offsite? Broken search, if available at all, so your past posts basically go down the memory hole? Inability to migrate your posts? Unclosable hashtag-typing popups that insist on a surplus space after the hashtag? Images and videos getting mangled to terrible quality but in a way that sometimes even *increases* their size? It's endless. You compare those to using a whole domain as your handle? I am amazed at what Mastodon is with a $300K/year budget. I suspect most of the things you list are in fix requests, and they will get to it when they can. But jamming hastily made beta software out the door is crazy. Bluesky, post.social, and every other twitter wannabe trying to get rich quick. I still don't run into much trouble here. Certainly no BSOD. @ShallowWater @jonty Yeah, I'd MUCH prefer someone temporarily finding a way to get a gag handle (until they patch it) than years and years on end of major usability bugs unpatched. Thanks. If there's any "hastily made beta software", it's Mastodon, only it's stayed in this state for years on end. And as for "BSOD", I've had *plenty* of Mastodon server downtimes and other issues come up. None at Bluesky. If Mastodon were just hastily made beta software, it would have died. The things you listed look like warts to me. @ShallowWater @jonty Hey, guess what? A huge number of people came here fleeing Twitter, made accounts, and got so frustrated and left. The vast majority, actually. It's visible in the account creation vs. active users numbers. It's visible in my own experience with friends. And guess what? Those people are now going to Bluesky instead. Good. I wish them well on bluesky. But it was pretty stinky when Taylor Lorenz showed up here and started demanding immediate changes "or the journalists will leave." It never occured to her that she was being treated to the kindness of strangers, who built Mastodon on a shoestring, and gave it to her for free -- no $8 blue check subscription service charge. @nafnlaus @ShallowWater   @jonty hilarious, I sat next to chaz for years   @jonty @aurorapenguin serve a file? All I saw is that you need to add a DNS record for the domain in question. It’s such a stupid “feature” though. Makes it look like it’s a self-hosted instance, nopeeeee. ok so I looked into this: to change your handle in bluesky you need to call the updateHandle function which passes through some things. first it validates if the handle is valid (which does not validate punycode 💀) assuming you have a handle like s3.amazonaws.com, that's not one of the "supported domains" in bsky.social's pds (instance) so it has to go through an extra function called resolveExternalHandle. it will first check if it has a txt record with did={did} where.. you don't need to have a pds running to verify your domain, but it's a failsafe in case the dns doesn't work what I am currently looking into is how to fix this lol, it's obviously intentional but I can't seem to see why and obviously if you can control what the domain is then you can impersonate the domain itself. which makes me wonder if other object storages are at risk    @jonty Dis is funny, makin' things look broken, like a compootah prank! 🤖🤪 It's like puttin' googly eyes on my toys n gigglin' when they look all silly n wonky! 😄💻 #KidCodes #CompootahPranks  @jonty@chaos.social this should have definitely been a TXT record in the DNS rather than a file on a website |
@jonty lmao this rules