#sknebelpetermolnar: same idea, yes. Most webmention endpoints probably limit the size of pages they download, but if you measure that "on the wire" and support HTTP with gzip, the page can use a lot of memory very easily
#ZegnatI just use curl to grab the HTML. Does curl have some sort of internal limit that protects me or do I have to write that one myself?
#petermolnarcombine that with a reflection attack... neat. by the way, I have security question: vouch does not seem to be able to prevent a reflection attack at all, since you'll need to crawl B ( potentially even C - from the https://indieweb.org/Vouch example )
#petermolnarZegnat I'm not aware of built-in limits for cURL
#sknebelpossibly even needs attention with redirects to other protocols
#cmalpetermolnar: there's a few interesting possibilities
#cmalsomeone a few weeks ago mentioned signing the webmention payload with PGP and matching the key to a cached version of the source's key
#cmalthen for vouching there's the obvious case of matching people against contacts/subscribers/groups
#ZegnatI looked around a bit. Seems my curl'ing of the webmention will just try to download the resource no matter the size.
#GWGpetermolnar: So, what is your Vouch alternative? Not that I've seen a lot of Vouch integration on the part of sites.
#cmalyeah there's talks here and there about DDOS/auth/encryption but I don't see any proposals taking all these aspects into consideration :-/
#cmalhow could one do proper vouching without followers/following lists? I personally don't see any way that's feasible but if you've got ideas… :D
#petermolnaroriginally I was thinking of adding dmarc-dkim-spf into webmention
#petermolnarbut that is a little too complicated for most
#GWGThe idea is only that Vouch moves the burden of proof to the sender.
#cmalGWG: yeah but in its current form it considers if you have a link to a website somewhere on your website (including, like petermolnar pointed, somewhere in an unmoderated comment), you are vouching for this website
#cmalwell precisely: if you have webmention.io as a webmention endpoint, then someone receiving a webmention of yours would match the source IP address against A/AAAA records of webmention.io
#sknebeland even for the receiver you'd have to fetch the site to figure out if it actually uses it
#cmalokay you're right, my bad… but maybe this is an info we could add as a link on the homepage?
#cmalsknebel: yeah but you would only fetch it once every now and then so it would mitigate an attempt at DDOS
#petermolnarwhat's important is to list all the options which could prevent fetching falsely sourced site
#petermolnarbecause that is how you destroy both your and the source site's capacity
#petermolnarwe could say the webmention endpoint must go into the http response header
#sknebele.g. people with static sites are going to send their webmentions from all kinds of IPs with all kinds of hostnames... local laptops, CI servers, ...
#petermolnarbecause HEAD is significantly cheaper that GET
#GWGThink of trust like a point system. You try to identify people you trust more than others using software. And you try to identify people with a low trust quotient.
#sknebelfor the source I'm not sure if a HEAD is worth it. For many dynamic sites the load is probably going to be quite similar, and now you are sending 2 requests instead of one
#petermolnarbut for the receiver I could do a lookup DNS SPF for sender domain, if exists, match it to the actual sender server and die if it's not valid
#ZegnatKevinMarks: yes, you have the replies in place. But the extension does not yet resolve back-links. It just checks all the HREF values it finds as strings.
#petermolnarand only differs as ' ' instead of 'T' between date and time compared to the ISO
#bearyea, the battel for date time formatting was lost a long time ago
#bearin python to do it properly and flexibly you have to combine a few libs and add error handling - python-dateutil and pytz and more - I would have to go find some old code of mine to recreate it
tantek joined the channel
#sknebelyep, im using pytz and a iso8601 parsing library as well, and I don't parse external dates yet
#sknebelI think for "here is a string, guess what it is" I'd need another library