Gregory's Server@dangillmor The problem is that it's actually verification by some other website, and people who need to rely on verification don't know whether that other website is the kind of impostor you've probably seen in high-quality phishing attempts. I could register imreallytaylorswift.com right now (as I write, it is available), and verify my account with that; that doesn't make me really Taylor Swift.
|
3 comments
 Where does the "imposter" issue come from when it's initiated by the specific Mastodon user themselves, and employs either a web site over which they have direct html-write authority or is a third-party web site on which the Mastodon user is previously known and verified? Not seeing the problem - for those who understand the process cc @dangillmor  @rst @dangillmor It should NOT be a problem for media entities because their website/IT personnel should handle adding the code to the business's site. Take either NYT or WaPo journalists — if their personnel Mastodon accounts are verified on NYTimes.com or WashingtonPost.com, it is only because authorized personnel with access to those sites' code have added the verification coding. If anything, the verification process should encourage media outlets to run their own instances. |
@rst @dangillmor This is true in principle, but the example you give is a bit contrived. Using, as I do, my web site under a university domain ought to be 100% safe if the IT security folks at that university know their métier (as they do, it is Aalto University).