#indieweb 2024-11-01

2024-11-01 UTC
gRegorLove_, geoffo, jimw, ps_gro, jimw0, [Joe_Crawford], toastal, bterry, rvalue-, cedric, lazcorp, codebuzz, GuestZero, barnaby, [Joschi_Kuphal], Xe and Guest6 joined the channel; toastal left the channel
#
sisoma_new[d]
Is there some additional authentication/verification going on?
#
sisoma_new[d]
Was wondering if anyone knows how IndieAuth's authentication is "safe" enough using the email authentication method.
#
sisoma_new[d]
Been a while since I've been on here.
#
sisoma_new[d]
Hey all!
#
sisoma_new[d]
The auth codes sent via email only contain 4 digits. Which does not make it insanely unlikely for someone to be able to guess the code (people win lotteries with worse odds).
#
sisoma_new[d]
It doesn't seem too unreasonable that a potential bad guy could successfully brute force the 4 digit code?
#
sisoma_new[d]
Example scenaria:
#
sisoma_new[d]
1. I login to pronouns.page using IndieAuth and type my website's address.
#
sisoma_new[d]
2. IndieAuth asks if I want to use email or GitHub authentication methods (discovered through the HTML on my website)
#
sisoma_new[d]
3. I select the email method, and get sent an email with a simple 4 digit code
#
sisoma_new[d]
4. I type in the 4 digits and voila, I am authenticated.
#
sisoma_new[d]
Is there some additional authentication/verification going on?
#
sisoma_new[d]
[edit] Hey all!
#
sisoma_new[d]
Been a while since I've been on here.
#
sisoma_new[d]
Was wondering if anyone knows how IndieAuth.com's authentication is "safe" enough using the email authentication method.
#
sisoma_new[d]
The auth codes sent via email only contain 4 digits. Which does not make it insanely unlikely for someone to be able to guess the code (people win lotteries with worse odds).
#
sisoma_new[d]
It doesn't seem too unreasonable that a potential bad guy could successfully brute force the 4 digit code?
#
sisoma_new[d]
[edit] Example scenaria:
#
sisoma_new[d]
2. IndieAuth asks if I want to use email or GitHub authentication methods (discovered through the HTML on my website)
#
sisoma_new[d]
1. I login to pronouns.page using IndieAuth.com and type my website's address.
#
sisoma_new[d]
3. I select the email method, and get sent an email with a simple 4 digit code
#
sisoma_new[d]
4. I type in the 4 digits and voila, I am authenticated.
#
capjamesg[d]
aaronpk ^
#
sisoma_new[d]
It doesn't seem too unreasonable that a potential bad guy could successfully brute force the 4 digit code?
#
sisoma_new[d]
[edit] Example scenario:
#
sisoma_new[d]
1. I login to pronouns.page using IndieAuth.com and type my website's address.
#
sisoma_new[d]
2. IndieAuth asks if I want to use email or GitHub authentication methods (discovered through the HTML on my website)
#
sisoma_new[d]
3. I select the email method, and get sent an email with a simple 4 digit code
#
sisoma_new[d]
4. I type in the 4 digits and voila, I am authenticated.
toastal and AramZS joined the channel; toastal left the channel
#
aaronpk
The codes are only valid for 5 minutes so it's not like it's a 4-digit password, but yeah I should update that to 6 alphanumeric chars which is the general standard for those codes these days
klymilark joined the channel
#
sisoma_new[d]
Funnily enough, the reason I asked about this is because at work we are implementing a similar email authentication system, so was doing some research on what others are doing. And we did land on using 6 alphanumeric characters codes which are valid for 5 minutes ๐Ÿ˜† We also decided to remove a couple of characters that could easily be mistaken for each other.
#
sisoma_new[d]
I see yeah that would make it practically impossible to guess! ๐Ÿ˜„
#
sisoma_new[d]
aaronpk++
#
Loqi
aaronpk has 8 karma in this channel over the last year (118 in all channels)
rvalue joined the channel
#
aaronpk
alright, that was an easy fix, thanks for the nudge
#
aaronpk
now it sends out 6 char codes from the character set [2-9A-Z]-[IO]
toastal joined the channel
#
sisoma_new[d]
I always select IndieAuth when I get the option, so is good to also have that peace of mind that it is secure โค๏ธ
#
sisoma_new[d]
Thanks for the quick fix!
#
sisoma_new[d]
Awesome ๐Ÿ˜„
#
sisoma_new[d]
Just confirmed that the code is 6 alphanumeric characters.
antranigv, [morganm] and [qubyte] joined the channel
#
[tantek]
aaronpk++
#
Loqi
aaronpk has 9 karma in this channel over the last year (119 in all channels)
cptaffe, sebbu, Kupietz and toastal joined the channel
#
Loqi
[indienews] New post: "Possible futures for Bridgy Fed" https://snarfed.org/2024-11-01_53932
#
aaronpk
๐Ÿ‘€
#
[snarfed]
feedback is welcome!
[aciccarello] joined the channel
#
[aciccarello]
I appreciate the desire to get feedback on Bridgy's future
BigShip joined the channel
#
[aciccarello]
It also reminds me of Ben Werd's brainstorming of possible Fedi services https://werd.io/2024/helping-to-build-the-open-social-web
#
[snarfed]
hah. thanks [aciccarello]! I already get a ton of feedback as is, this was more about sending a message out
#
[snarfed]
but I'm open to all of it
#
[aciccarello]
haha, I'm sure there are lots of people online happy to share their opinions
JadedBlueEyes and kimmy joined the channel
#
fausphorus
Hello! ๐Ÿ‘€ Super duper new to website-making, but also super duper tired of big corp websites destroying all of my efforts/contents after policy changes, especially as a queer content creator. I'm looking to create my own "resilient" website where I can post my creative content without fear of takedown or sudden policy changes by outside entities.
#
[tantek]
Welcome and those are good reasons fausphorus++
#
Loqi
fausphorus has 1 karma over the last year
#
[tantek]
Love the focus on being a content creator, you're among supporters here. If you ever want to get into technical details we also have a #indieweb-dev channel for that.
#
fausphorus
I'm glad! I also admit I'm a little overwhelmed with, well, everything out there. Between all of the options, the possible approaches, the terminology, the acronyms... I've tried on and off to get into website building, but I never would get very far beyond learning html line breaks or making paragraphs, or editing neopet pet-pages way back in the 2000's.
#
fausphorus
Indieweb-dev would be the place for me to get started then?
#
IWDiscord
<fโ€‹ausphorus>
#
[snarfed]
fausphorus you don't need to write code! there are lots of great tools for non-developers: https://indieweb.org/Getting_Started#IndieWeb_Services , https://indieweb.org/web_hosting , etc
#
[snarfed]
if you _want_ to write code, yes, #indieweb-dev, but you don't have to
#
fausphorus
My concern is that; I've had the repeat past experience where I would host something I've made, only to have it taken down/deleted/banned/removed from a platform because it doesn't abide to their rules or regulation. I'm a trans creator who wants to make content regarding my lived experiences, and I worry that if I rely on "pre-made" template systems or, I guess like ... framework(?), I would risk losing access to my own content o
#
fausphorus
I feel like at this point, the only/main way I can ensure I never lose my own creation is to learn how to code myself and keep local copies of my website, unless I'm wrong?
#
IWDiscord
<fโ€‹ausphorus>
#
fausphorus
For example: Tumblr is *very* unfriendly to trans creators, despite attempting to advertise itself as a good space for queer creators. I'm very tired of getting bridges burned that way.
#
[tantek]
Yeah, lots of folks here that have some of those shared experiences
#
fausphorus
What would be the best suggested solution or route?
#
[tantek]
so far there are a handful of services (e.g. http://micro.blog) that seem very supportive of queer and other creators. and yes, at least owning your domain is a minimum, so you can always export your stuff from whatever service / backend you're on and switch to a different service
#
Loqi
hey fausphorus, [tantek]: we try to keep jargon (framework, template, backend) out of this channel to make it more inviting to newcomers, can you move this to #indieweb-dev?
#
[tantek]
oops yeah see that's what happens when we start talking too much implementation jargon ๐Ÿ˜‚
#
fausphorus
๐Ÿ˜† and here's me not even knowing what's jargon or not right now. I'll go wherever I'm broom-swept to
#
[tantek]
you're fine, the goal is to make this space (#indieweb) more welcoming and inclusive rather than gate-keeping for only folks who code etc.
#
[tantek]
I believe another queer-friendly and supportive service is omg.lol
#
[tantek]
but yes, if you do decide to go down the coding and making your own solution route, there's plenty of folks here with many different options/approaches willing to help in #indieweb-dev!
toastal left the channel
#
capjamesg[d]
Welcome, fausphorus[d]!
#
fausphorus
Thanks!
#
[tantek]
hey did I make the newsletter?
#
[tantek]
looks like it
Kupietz, _justin_kelly2, xgpt and angelo joined the channel