#indieweb 2024-11-01

2024-11-01 UTC
gRegorLove_, geoffo, jimw, ps_gro, jimw0, [Joe_Crawford], toastal, bterry, rvalue-, cedric, lazcorp, codebuzz, GuestZero, barnaby, [Joschi_Kuphal], Xe and Guest6 joined the channel; toastal left the channel
# 13:29 
sisoma_new[d] Is there some additional authentication/verification going on?
# 13:29 
sisoma_new[d] Was wondering if anyone knows how IndieAuth's authentication is "safe" enough using the email authentication method.
# 13:29 
sisoma_new[d] Been a while since I've been on here.
# 13:29 
sisoma_new[d] Hey all!
# 13:29 
sisoma_new[d] The auth codes sent via email only contain 4 digits. Which does not make it insanely unlikely for someone to be able to guess the code (people win lotteries with worse odds).
# 13:32 
sisoma_new[d] It doesn't seem too unreasonable that a potential bad guy could successfully brute force the 4 digit code?
# 13:32 
sisoma_new[d] Example scenaria:
# 13:32 
sisoma_new[d] 1. I login to pronouns.page using IndieAuth and type my website's address.
# 13:32 
sisoma_new[d] 2. IndieAuth asks if I want to use email or GitHub authentication methods (discovered through the HTML on my website)
# 13:32 
sisoma_new[d] 3. I select the email method, and get sent an email with a simple 4 digit code
# 13:32 
sisoma_new[d] 4. I type in the 4 digits and voila, I am authenticated.
# 13:33 
sisoma_new[d] Is there some additional authentication/verification going on?
# 13:33 
sisoma_new[d] [edit] Hey all!
# 13:33 
sisoma_new[d] Been a while since I've been on here.
# 13:33 
sisoma_new[d] Was wondering if anyone knows how IndieAuth.com's authentication is "safe" enough using the email authentication method.
# 13:33 
sisoma_new[d] The auth codes sent via email only contain 4 digits. Which does not make it insanely unlikely for someone to be able to guess the code (people win lotteries with worse odds).
# 13:33 
sisoma_new[d] It doesn't seem too unreasonable that a potential bad guy could successfully brute force the 4 digit code?
# 13:33 
sisoma_new[d] [edit] Example scenaria:
# 13:33 
sisoma_new[d] 2. IndieAuth asks if I want to use email or GitHub authentication methods (discovered through the HTML on my website)
# 13:33 
sisoma_new[d] 1. I login to pronouns.page using IndieAuth.com and type my website's address.
# 13:33 
sisoma_new[d] 3. I select the email method, and get sent an email with a simple 4 digit code
# 13:33 
sisoma_new[d] 4. I type in the 4 digits and voila, I am authenticated.
# 13:51 
capjamesg[d] aaronpk ^
# 13:55 
sisoma_new[d] It doesn't seem too unreasonable that a potential bad guy could successfully brute force the 4 digit code?
# 13:55 
sisoma_new[d] [edit] Example scenario:
# 13:55 
sisoma_new[d] 1. I login to pronouns.page using IndieAuth.com and type my website's address.
# 13:55 
sisoma_new[d] 2. IndieAuth asks if I want to use email or GitHub authentication methods (discovered through the HTML on my website)
# 13:55 
sisoma_new[d] 3. I select the email method, and get sent an email with a simple 4 digit code
# 13:55 
sisoma_new[d] 4. I type in the 4 digits and voila, I am authenticated.
toastal and AramZS joined the channel; toastal left the channel
# 14:38 
aaronpk The codes are only valid for 5 minutes so it's not like it's a 4-digit password, but yeah I should update that to 6 alphanumeric chars which is the general standard for those codes these days
klymilark joined the channel
# 14:51 
sisoma_new[d] Funnily enough, the reason I asked about this is because at work we are implementing a similar email authentication system, so was doing some research on what others are doing. And we did land on using 6 alphanumeric characters codes which are valid for 5 minutes 😆  We also decided to remove a couple of characters that could easily be mistaken for each other.
# 14:51 
sisoma_new[d] I see yeah that would make it practically impossible to guess! 😄
# 14:52 
sisoma_new[d] aaronpk++
# 14:52 
Loqi aaronpk has 8 karma in this channel over the last year (118 in all channels)
rvalue joined the channel
# 15:57 
aaronpk alright, that was an easy fix, thanks for the nudge
# 15:58 
aaronpk now it sends out 6 char codes from the character set [2-9A-Z]-[IO]
toastal joined the channel
# 16:03 
sisoma_new[d] I always select IndieAuth when I get the option, so is good to also have that peace of mind that it is secure ❤️
# 16:03 
sisoma_new[d] Thanks for the quick fix!
# 16:03 
sisoma_new[d] Awesome 😄
# 16:05 
sisoma_new[d] Just confirmed that the code is 6 alphanumeric characters.
antranigv, [morganm] and [qubyte] joined the channel
# 16:40 
[tantek] aaronpk++
# 16:40 
Loqi aaronpk has 9 karma in this channel over the last year (119 in all channels)
cptaffe, sebbu, Kupietz and toastal joined the channel
# 19:34 
Loqi [indienews] New post: "Possible futures for Bridgy Fed" https://snarfed.org/2024-11-01_53932
# 19:44 
aaronpk 👀
# 19:56 
[snarfed] feedback is welcome!
[aciccarello] joined the channel
# 20:10 
[aciccarello] I appreciate the desire to get feedback on Bridgy's future
BigShip joined the channel
# 20:11 
[aciccarello] It also reminds me of Ben Werd's brainstorming of possible Fedi services https://werd.io/2024/helping-to-build-the-open-social-web
# 20:13 
[snarfed] hah. thanks [aciccarello]! I already get a ton of feedback as is, this was more about sending a message out
# 20:13 
[snarfed] but I'm open to all of it
# 20:13 
[aciccarello] haha, I'm sure there are lots of people online happy to share their opinions
JadedBlueEyes and kimmy joined the channel
# 21:03 
fausphorus Hello! 👀  Super duper new to website-making, but also super duper tired of big corp websites destroying all of my efforts/contents after policy changes, especially as a queer content creator. I'm looking to create my own "resilient" website where I can post my creative content without fear of takedown or sudden policy changes by outside entities.
# 21:07 
[aciccarello] Welcome!
# 21:07 
[tantek] Welcome and those are good reasons fausphorus++
# 21:07 
Loqi fausphorus has 1 karma over the last year
# 21:07 
[tantek] Love the focus on being a content creator, you're among supporters here. If you ever want to get into technical details we also have a #indieweb-dev channel for that.
# 21:09 
fausphorus I'm glad! I also admit I'm a little overwhelmed with, well, everything out there. Between all of the options, the possible approaches, the terminology, the acronyms... I've tried on and off to get into website building, but I never would get very far beyond learning html line breaks or making paragraphs, or editing neopet pet-pages way back in the 2000's.
# 21:09 
fausphorus Indieweb-dev would be the place for me to get started then?
# 21:09 
IWDiscord <f​ausphorus>
# 21:14 
[snarfed] fausphorus you don't need to write code! there are lots of great tools for non-developers: https://indieweb.org/Getting_Started#IndieWeb_Services , https://indieweb.org/web_hosting , etc
# 21:15 
[snarfed] if you _want_ to write code, yes, #indieweb-dev, but you don't have to
# 21:19 
fausphorus My concern is that; I've had the repeat past experience where I would host something I've made, only to have it taken down/deleted/banned/removed from a platform because it doesn't abide to their rules or regulation. I'm a trans creator who wants to make content regarding my lived experiences, and I worry that if I rely on "pre-made" template systems or, I guess like ... framework(?), I would risk losing access to my own content o
# 21:19 
fausphorus I feel like at this point, the only/main way I can ensure I never lose my own creation is to learn how to code myself and keep local copies of my website, unless I'm wrong?
# 21:19 
IWDiscord <f​ausphorus>
# 21:20 
fausphorus For example: Tumblr is *very* unfriendly to trans creators, despite attempting to advertise itself as a good space for queer creators. I'm very tired of getting bridges burned that way.
# 21:20 
[tantek] Yeah, lots of folks here that have some of those shared experiences
# 21:21 
fausphorus What would be the best suggested solution or route?
# 21:21 
[tantek] so far there are a handful of services (e.g. http://micro.blog) that seem very supportive of queer and other creators. and yes, at least owning your domain is a minimum, so you can always export your stuff from whatever service / backend you're on and switch to a different service
# 21:21 
Loqi hey fausphorus, [tantek]: we try to keep jargon (framework, template, backend) out of this channel to make it more inviting to newcomers, can you move this to #indieweb-dev?
# 21:22 
[tantek] oops yeah see that's what happens when we start talking too much implementation jargon 😂
# 21:22 
fausphorus 😆  and here's me not even knowing what's jargon or not right now. I'll go wherever I'm broom-swept to
# 21:23 
[tantek] you're fine, the goal is to make this space (#indieweb) more welcoming and inclusive rather than gate-keeping for only folks who code etc.
# 21:23 
[tantek] I believe another queer-friendly and supportive service is omg.lol
# 21:24 
[tantek] but yes, if you do decide to go down the coding and making your own solution route, there's plenty of folks here with many different options/approaches willing to help in #indieweb-dev!
toastal left the channel
# 21:36 
capjamesg[d] Welcome, fausphorus[d]!
# 21:36 
fausphorus Thanks!
# 21:46 
Loqi [indienews] New post: https://tantek.com/2024/306/t1/simple-embeds
# 21:46 
[tantek] hey did I make the newsletter?
# 21:54 
[tantek] looks like it
Kupietz, _justin_kelly2, xgpt and angelo joined the channel