undefined | Better HN

0 pointsd4mi3n11mo ago0 comments

What is appropriate here really depends on what properties BlueSky wants to assert about it's ecosystem.

> What was the problem with the current DNS system? I definitely think there could be improvements like displaying domain instead of TLD but still.

As commenters earlier in this thread have noted, one property BlueSky claims it wants to develop/maintain is resistance against BlueSky itself becoming an adversarial party--say in the event it is bought out by an eccentric multi-billionaire who may take steps to discredit certain parties or reduce their reach or reputation.

I don't think the current DNS verification methodology helps or hurts in a BlueSky is hostile scenario. I think the only issues with the current DNS username verification system as I understand it are the same issues with any DNS based verification system in that vanilla DNS was not a protocol designed to be resistant to adversarial use and as a result there are many ways for people to tamper with DNS records, DNS queries, and confuse systems that incorrectly trust DNS records to be trustworthy or well-formed. DNS cache poisoning is a thing. Domain takeovers have and will continue to happen.

Now, if we're talking about what technologies are suitable for username verification in a word where BlueSky is adversarial, we have a very different conversation. I think the scope of such a scenario extends a lot further than usernames. If your primary interface into the AT Protocol feed is the BlueSky website or the official BlueSky application, you are trusting BlueSky to validate usernames. An adversarial BlueSky could easily decide if your interface marks someone as trusted or untrusted without your knowledge.

The only way I could think to avoid this would be to use a different interface to the global feed, but then you run into new problems that are more difficult to avoid: the fact that most BlueSky users don't host their own data (though this is doable with https://atproto.com/guides/self-hosting). BlueSky also manages the global feed, so barring a competitive global index, you'll still be consuming a feed curated by BlueSky's AT Protocol services and implementation.

I'd close this by saying I am _not_ an expert in the AT Protocol, BlueSky's systems, or this space in general. This is a very fast and loose risk assessment I made after reviewing the AT Protocol and a bit of research on how BlueSky says it provides it's services. My current assessment is that if the community wants to be robust against BlueSky becoming adversarial, there needs to be a lot more support for self-hosting of PSPs and similar data stores, alternative global indexes, and likely also independent governance of the AT Protocol itself.

0 comments

godelski11mo ago

Thanks for the insights and disclosure. While maybe not a expert in the AT Protocol, certainly you are closer to the issue than myself and presumably most users.

Were you given the ability to make a trustless or more decentralized system is there some route you would pursue? Maybe ignoring the AT protocol so I (and others?) can get a better sense of how such systems might be employed to ensure that an arbitrary organization can build defenses against themselves becoming adversaries (seems like a fairly useful mindset in general).

d4mi3nOP11mo ago

> Maybe ignoring the AT protocol so I (and others?) can get a better sense of how such systems might be employed to ensure that an arbitrary organization can build defenses against themselves becoming adversaries (seems like a fairly useful mindset in general).

There are ways to do this, but being trustless in the context of a social network is a thorny problem I'm not sure I can provide an answer to. The whole purpose of such networks is to enable communication with people you may not necessarily know (or trust). Furthermore, you implicitly trust the medium in which you use to communicate (BlueSky, Twitter, SMS, Zoom, etc.).

There are ways to make things difficult for a service provider; you see many of them in high security contexts. For example, when storing data on AWS GovCloud or similar, you have the option have AWS use user or company provided encryption that they do not have control over. Should AWS be compromised in some way, they would still need to have your cryptographic keys in order to access unencrypted data (https://docs.aws.amazon.com/AmazonS3/latest/userguide/Server...).

Another approach is message signing. An example of that is PGP signing of emails or files. You can use these cryptographic signatures to verify a message (email) or binary blob (file) has not been tampered with.

Another common approach, which you have alluded to, is some kind of multi-party scheme. Many cryptographic blockchains are good examples of this: You need a majority of parties in such schemes to agree on something for it to be considered valid or true.

A combination of these things can be used to make it more difficult for a service provider to be compromised or act against their user's interests. Sadly, this does not make it _impossible_ for them to do so. A user or customer who doesn't want to tolerate the worst case scenarios here still needs to make their own back ups, decide what entities to trust, and ensure they have robust procedures for doing things like trusting new entities or managing cryptographic material.

I'll also note that there are in fact live examples of such systems if you look for them. See IPFS for one such example: https://ipfs.tech/

j / k navigate · click thread line to collapse