#bridgy 2017-01-18

2017-01-18 UTC
snarfed joined the channel
# 15:31 
snarfed aaronpk: bridgy is sending w7apk wms to aaronparecki.com because https://twitter.com/w7apk has aaronparecki.com in its profile, so bridgy searches for and sends links to it
# 15:43 
aaronpk interesting
# 15:43 
aaronpk doesn't that mean anyone can "steal" bridgy webmentions by putting someone else's website in their twitter profile?
# 15:44 
snarfed eh not really
# 15:44 
snarfed as you saw, all the source mf2 properties are the same regardless of source twitter account, and target url is the same
# 15:45 
snarfed you can make bridgy serve a source page with your own twitter username, yes, but mf2 u-url overrides that. (and even if not, seems pretty harmless)
# 15:49 
snarfed right?
# 15:54 
aaronpk oh right the bridgy HTML was the same regardless of which twitter username was used in the URL
# 15:54 
aaronpk all that really does is switch which twitter credentials hit the api then right?
# 15:54 
snarfed basically yes
# 15:55 
snarfed heh the security implications of these protocols can be tricky and non-obvious to think through sometimes
# 15:55 
snarfed like when bridgy publish was totally open, and you still could only publish things that person had already published on their site...but you could syndicate something to a silo they hadn't intended
# 15:56 
aaronpk so the only threat really is a DoS attack where someone could get bridgy to use the attacker's twitter credentials which they could somehow manipulate into hitting twitter's rate limit
# 15:57 
snarfed eh yeah but you can do that now by just DoSing someone's bridgy source urls, without messing with profile URLs
# 15:58 
aaronpk yeah that seemed like a stretch while i was typing it :)
# 15:59 
snarfed :P
snarfed and snarfed1 joined the channel