#dev 2016-09-13

2016-09-13 UTC
#
GWG How do you build trust?
#
gRegorLove petermolnar: I'm interested to learn more about the reflection attach you mentioned. Not sure I understand.
#
gRegorLove In my implementation, if you send vouch=C and the domain of C isn't in my approved vouches list, it's rejected without crawling any other domains.
#
gRegorLove The list of approved vouch domains can be updated manually, but also parses from a "following" page, e.g. http://gregorlove.com/following/
#
gRegorLove You can point the plugin to any "following" page and it parses the URLs from the h-cards, so in theory could point it to some shared list
#
cmal interesting
#
gRegorLove s/attach/attack/
#
cmal from what I remember a reflection attack to be, I think that was not the appropriate term for what petermolnar was describing
#
gRegorLove (This is also when "require vouch" option is on. It's not on at the moment for my site.)
#
cmal I think the discussion was more centered around vouching authenticity and potential DDOS (where the "reflection" would be that two parties are affected by a webmention vouch DDOS, not just one)
#
cmal gRegorLove: is your vouch-matching library free software?
#
gRegorLove It's part of the ProcessWire Webmention plugin, not a standalone library. I based it on ben_thatmustbeme's open source code.
#
cmal GWG: yeah the problem isn't that it's not perfect, but that it barely tries in the specs themselves. That doesn't mean it's not a good enough basis to do something with contacts management like gRegorLove suggested
doesntgolf joined the channel
#
gRegorLove barely tries? I don't follow
#
GWG I was thinking of doing it that way.
#
cmal GWG: then it makes a lot of sense ^^
#
GWG The following list. It works out as more of a whitelist.
#
gRegorLove Yep
#
cmal gRegorLove: I don't recall the vouch protocol encouraging to deploy friends lists, from what I remember in the wiki it's mostly "yeah a link on a web page is good enough, but sure if you really wanna be paranoid you can do more"
#
gRegorLove I think /Vouch purposefully doesn't lay out exactly how you decide if a vouch URL is valid or not. Many approaches to it. https://indieweb.org/Vouch#How_do_I_verify_a_vouch
#
gRegorLove Double check the FAQs on there; I think it addresses most things, but we can certainly add new ones.
#
cmal gRegorLove: yes I'm not saying it doesn't, I'm just saying it's considered to be a side-issue and not a core issue of the debate
#
@kwlug And now @andrew_s_cant demonstrates the principles of #webmentions, used in blog comments, for example (twitter.com/_/status/775487402110574592)
#
cmal still out of curiosity, apart from XFN and ActivityPub following/followers is there another proposal?
#
cmal I notice you're just using plain h-cards on your following list?
#
@kwlug And now @andrew_s_cant demonstrates the principles of #webmentions, used in blog comments, for example (twitter.com/_/status/775488416918142976)
#
cmal I mean, how can the webmention target verify the vouch if it doesn't know what format it's gonna be in (h-cards in XML or JSON, XFN, AS2 JSON) ?
#
gRegorLove "verify the vouch" means a) Does the vouch URL link to the source domain, as the webmention sender claims.
#
gRegorLove b) Do I trust the vouch URL?
#
gRegorLove Doesn't require parsing a specific format.
#
cmal yeah okay so we're back to having trust in a simple link :-/
#
gRegorLove I don't understand the problem
#
gRegorLove I think https://indieweb.org/spam#Spam_Prevention is the main other place on the wiki discussing other anti-spam options in general
#
ben_thatmustbeme looks up
#
ben_thatmustbeme yay, more vouch
#
Loqi :D
#
gRegorLove But /Vouch has been the main proposal/implementation specific to webmention.
#
cmal so for instance if your webmention endpoint is open (no vouching) as it is, I can just send you a comment that's going to be displayed on your site with a link to a third site under my control ; from there, I can send spammy spam to all people trusting you to vouch people by just linking to the article I commented on?
#
GWG I just don't know how I would build a Vouch list.
#
gRegorLove Re: XFN, for me I don't use it because I haven't seen a use-case for consuming it. My "following" page is primarily for internal purposes: my plugin parses h-cards for the whitelist.
#
cmal ben_thatmustbeme: sorry, recurring topic when people have somewhat big infras (10s of thousands of users) and a lot of spam-related trouble :D
#
GWG I need to figure out an implementation works for my platform.
#
cmal GWG: I guess it depends on many things: mostly platform settings (what the techs you're building your site with allow you to do) and user settings (whether you want to vouch for everyone you follow, everyone with whom you have a mutual following relationship, only a whitelist, etc…)
#
GWG cmal, I have to think about the bigger picture. WordPress
#
ben_thatmustbeme cmal recarding what you said, "i can just send spammy spam to all people trusting you to vouch people" thats not always a published list. I publish it, but I don't know that anyone else does.
#
GWG I can extend it, but I need something basic for everyone
#
cmal gRegorLove: well XFN is too broad and vague for this purpose. who cares if two people are married, friends, acquaintances or coworkers, we just want to know if they should be allowed to send you messages :-P
#
gRegorLove Heh, yeah
#
ben_thatmustbeme also true, xfn is modeling much more than is needed for indieweb's use's
#
cmal and if you're just using following lists, you're basically building a PR pyramid where most-read people can reach out to even more people by getting vouched for effortless
#
cmal (the free-software equivalent of buying "promoted posts" on silos :D)
#
gRegorLove cmal: Thinking through your example, it's valid. I don't know how one would get a list of "all the people trusting [gregorlove.com] to vouch", though. Presumably if they started seeing a lot of spam get through with my domain as a vouch, they'd remove my domain as a vouch.
#
gRegorLove Which is some moderation work on their part, yes, but (I think?) less than moderating un-vouched spam.
#
cmal gRegorLove: I agree, it's not the biggest vector ever, still it's a vector for DDOS as such a case is considered valid until, as you say, somebody notices
#
cmal sure, the problem is more that such a process can be fully automated and target pretty much anyone until websites overload and you get weird behaviours that open new attack vectors
#
cmal so you have to consider it outside if a single isolated website, but as a flaw potentially traversing a whole network of websites (the vouch federation)
#
cmal ben_thatmustbeme: it doesn't have to be public, first because automatic spam (think nmap plugin), and second because one can look at your public interactions with other people to figure that one out
#
cmal like if I reshared publicly a post of yours on two different days, there's a slight possibility that I follow you somehow, or follow someone who follows you
#
ben_thatmustbeme yes, but its still a huge improvement on open webmentions, it significantly increases the difficulty of attacks,(you can to scan websites for all interactions) and even then you may not get anywhere as not everyone will accept vouches and will moderate
#
cmal again, for such a small community mapping out all the social graph and all the interactions between everyone is probably just a couple hours of spidering / graph processing away (which is a very low entry price)
#
gRegorLove Vouch is less of a vector for DDOS than without Vouch, right? Am I missing something?
#
ben_thatmustbeme also, following and accepting vouches from are two VERY different things
#
cmal ben_thatmustbeme + gRegorLove : sure, not criticizing the step forward already taken, just trying to look ahead ;-)
#
cmal ben_thatmustbeme +1
#
gRegorLove I didn't take it as criticism, just trying to better understand :)
#
ben_thatmustbeme i just like debating
#
ben_thatmustbeme :)
#
gRegorLove No you don't
#
gRegorLove :D
#
ben_thatmustbeme "Look I was looking for an argument" "OH, this is abuse! Arguments is down the hall"
#
cmal :-)
#
cmal finds it way more useful to debate around vouching and opsec than about "OH MY GOD BURKINIS? ARE THESE WOMEN PEOPLE? CAN MUSLIMS BE FRENCH?", just sayin'
#
ben_thatmustbeme Anyway, it is true that if someone comments on aaron's site and he displays it, they would be able to automatically get a spam post on my site as well. but I would later notice the spam, delete it, and then look at where the vouch came from
#
ben_thatmustbeme it offers me an obvious recourse on how to stop that. "I can't trust aaron to not have spam, so i guess he's off my whitelist for now"
#
cmal … which is good on an individual cases, but does not help if I do this with all the open-webmention websites that I find (which is going to be a lot, probably even years from now)
#
ben_thatmustbeme I'm willing to bet a lot of sites will get moderation by default pretty quickly after the first attack though
#
cmal ben_thatmustbeme: don't say this, you're going to make me want to write a proof-of-concept <3
#
gRegorLove Part of the reason we're working on and thinking about Vouch now is that it's solid when Webmention is more widely supported.
#
ben_thatmustbeme indeed
#
gRegorLove So it's not an "off-by-default" thing
#
gRegorLove It's only off-by-default in my ProcessWire plugin because I know of 3 sites using vouch :)
#
gRegorLove I think a WordPress plugin should definitely be on-by-default
#
cmal mapping the IndieWeb social graph, identifying open webmention endpoints, just having one meaningful (hence inoffensive-looking) comment there (or just a reshare, as it would usually be enough to get a link to my site)… with a proper VM I'm sure this script could run throughout the whole Indieweb in a matter of hours
#
ben_thatmustbeme well there are thousands and thousands of known installs that don't connect to each other
#
ben_thatmustbeme so i don't think anyone could ever get the "whole indieweb"
#
ben_thatmustbeme if you mean the core group, i'll save you time https://indieweb.org/irc-people
#
cmal ben_thatmustbeme: not the exact whole of it, but I'm almost sure (although no calculation will be possible) that somehow one node in the network will always act as a gateway between communities
#
gRegorLove Yeah, no comments needed, just add yourself there :)
#
cmal :D
#
gRegorLove pre-emptively blacklists cmal.
#
gRegorLove jk
#
ben_thatmustbeme (although i don't accept indieweb.org as a whitelist vouch)
#
cmal ben_thatmustbeme: you were saying earlier following and vouching should be decoupled
#
ben_thatmustbeme tries to remember who used the "anonymous" post site
#
cmal what do you think about what I proposed earlier to then have user-settings for vouching?
#
gRegorLove cweiske?
#
ben_thatmustbeme ended up removing the comment because of it
#
cmal commentpara.de?
#
ben_thatmustbeme yeah
#
ben_thatmustbeme oh, and there is one other thing, no comments on my site will act as a vouch
#
ben_thatmustbeme i tag them all rel=nofollow
#
ben_thatmustbeme its only if I actually reply to the commentor that they can use me as a springboard for spamming the network
#
cmal smart
#
ben_thatmustbeme i believe many others do as well
#
cmal yeah it's specified on /Vouch, but is only mentioned once (without explanation, on step 6 of "Vouch selection")
#
cmal (at least that I could find)
#
ben_thatmustbeme feel free to expand on the reason for it
#
cmal will do :)
#
cmal I'm actually taking a lot of notes regarding such issues (authentication, encryption, vouching) to try and summarize the current state of the art
#
ben_thatmustbeme cool
#
cmal yeah because I think the current protocols are not that far from something really cool, we just need to piece it all together, and make everything very explicit (like this nofollow thing for instance which should be a big warning sign :D)
#
gRegorLove I seem to recall tantek making a case against using nofollow on links, but I don't remember exactly what they were.
#
cmal I think aaronpk the other day was proposing PGP-signed webmention payloads for 1-round webmentions, but someone today figured it could be a huge factor for DDOS (as verifying authenticity requires lots of math)
#
cmal so I don't know, there's always going to be some trade-offs, I guess :D
#
ben_thatmustbeme tantek was making that case i believe yes. rel=nofollow has been pretty much pointless in practice
#
gRegorLove Do you send/receive webmentions currently cmal, or waiting to work through these issues?
#
ben_thatmustbeme it would really just be repurposing something that has not been too useful
#
gRegorLove Just double-checked and mine won't accept a nofollow link as a vouch either.
#
cmal gRegorLove: not on cmal.info anymore (just migrated after an unfortunate unpaid bill), but I have an account on a Known on social.unixcorn.org :)
#
gRegorLove Hah, unixcorn. Love it.
#
cmal yeah, pretty name for a pretty project :D
#
cmal it's a free-price hosting cooperative, still very new and small, also the blog is not really finished yet (almost finished to implement on https://nimportequoi.unixcorn.org , microformats2 are not everywhere just yet)
#
ben_thatmustbeme woo, i think all the functionality of my new app is done, well, i should probably retest posting from it
#
ben_thatmustbeme but then its just a TON of UI work to do
#
cmal yay ~o~
#
cmal micropub stuff?
#
Loqi :D
#
ben_thatmustbeme yep
#
ben_thatmustbeme replacing mobilepub
#
cmal \o/
#
ben_thatmustbeme success. but not for categories
#
ben_thatmustbeme hmm
#
ben_thatmustbeme oh, duh, my website was using category as a comma sepperated list.... good thing i can change that in the configs on the new app
#
ben_thatmustbeme i went a bit overboard in configs
#
ben_thatmustbeme OH, i'm still missing one part functionality wise
#
ben_thatmustbeme adding new fields
#
ben_thatmustbeme gah
#
cmal :)
#
cmal anyway, I'm off or the night, thanks for the discussion ben_thatmustbeme and see you around :)
#
GWG ben_thatmustbeme: Do you still use php-comments?
#
ben_thatmustbeme GWG. Yes though I believe I made a few modifications for my setup. Been a while since one touched that code
#
GWG ben_thatmustbeme: I'd like to see some of your changes merged.
#
GWG Like the syndication one.
tantek, KevinMarks_, AngeloGladding, KevinMarks, KevinMarks__, cweiske and loicm_ joined the channel
#
KevinMarks__ Zegnat - what language are you implementing in?
#
Zegnat Vanilla JavaScript, it is a WebExtension afterall. Hopefully compatible with Chrome/Opera/Firefox without code differences.
#
Zegnat I think I need Promise.all() to have the fetches all run asynchronously, but (I think) that means I have to wrap them all. If a fetch rejects then Promise.all() will stop.
#
KevinMarks__ Ah right, I wasn't sure if you were making something server side
#
Zegnat No, I would like to keep it all contained to the browser, no dependencies.
#
KevinMarks__ I don't know the fetch api well enough to advise. Does it let you get called back on 301/302?
#
Zegnat Currently I parse the current tab for rel-me links, I then asynchronously fetch every page linked to with those, then I simply parse the returned HTML for rel-me links again and do a string compare on it.
#
Zegnat I believe fetch simply resolves 301/302, much like standard XHR does.
#
Zegnat On http://epeus.blogspot.com/ the extension finds 3 rel-me links. It will then have to do a fetch for each one to resolve it. And somehow I would like to exit that process as soon as one of them resolved to the URL I am looking for (ie. http://www.kevinmarks.com/)
#
KevinMarks__ Reading docs, there is a manual redirect mode, which is on by default in chrome now.
#
KevinMarks__ The spec says request has a url list of the redirected ones
#
Zegnat But I am not sure how I would do that. Promise.all() would let me run all 3 fetches and then handle the result once all 3 are done, but that sounds sub-optimal and may result in more fetches than needed.
#
Zegnat Yeah, I don't think fetch is going to be the problem. Me wrapping my head around this Promise-chaining-thing, that is where I am stuck ;)
#
cweiske what is a reply?
#
Loqi A reply (or comment) is a kind of post that is a text (typically, though photos are possible too) response to some other post, that makes little or no sense without reading or at least knowing the context of the source post https://indieweb.org/reply
#
cweiske what is a reply?
#
Loqi A reply (or comment) is a kind of post that is a text (typically, though photos are possible too) response to some other post, that makes little or no sense without reading or at least knowing the context of the source post https://indieweb.org/reply
#
cweiske.de created /Category:PostType (+58) "Created page with "Types of posts that [[Micropub]] and/or software supports."" (view diff)
#
cweiske.de edited /post (-26) (view diff)
#
KevinMarks__ If you have a list of promises, can't you cancel the incomplete ones?
#
cweiske.de edited /posts (-109) "/* See Also */" (view diff)
cmal joined the channel
#
Zegnat KevinMarks__: Promises cannot be cancelled, no. Neither can fetch.
#
GWG Morning
#
Loqi *yawn*
#
Zegnat Hello GWG :)
#
GWG Any excitement?
#
Zegnat Not here. Was doing some more WebExtensions work and learning about fetch API. But got stuck.
#
GWG I usually put something aside for a bit when that happens
#
petermolnar right. I recreated my formerly PHP standalone webmention receiver in python with background processes for parsing - I should have switched languages for this a _long_ while ago
#
petermolnar I don't need queues this way
#
petermolnar but I'm really not going to show this yet, my Python is caveman style for now :D
#
GWG petermolnar, good luck
#
GWG petermolnar, I still would like someone to write a receiver that can easily be installed that can send the parsed webmention to any system.
#
cweiske https://chat.indieweb.org/dev/2016-07-14#t1468524362744000
#
GWG I would like something in php though, since that is what I am using right now.
#
cweiske you'd only need a micropub endpoint for that
#
cweiske if that would exist
#
GWG Yes
#
cweiske webmention.io could do that, sending comments via micropub to one's blog
#
GWG cweiske, I want to host my own.
#
cweiske me too
#
cweiske basically the micropub request would be a "normal" request and would only need to contain an additional field "comment-of" with the url
#
aaronpk don't we already have that with "in-reply-to"?
#
aaronpk the comment needs to specify its own URL, so the micropub request would also include the "url" property which normally isn't part of the request
#
KevinMarks__ Zegnat, having read lots of discussion about fetch and cancellable promises, I see what you mean. I'd suggest that you don't put them all in flight at once, but start the next fetch once the first has completed so you don't use up all the client's http resources.
#
KevinMarks__ Also, given you only want the redirect chain, see if you can use HEAD first as that should let you resolve the redirects without fetching data
#
voxpelli aaronpk: on Micropub feedback – have anyone looked at or discussed the https://github.com/w3c/Micropub/issues/33 ?
singpolyma joined the channel
#
aaronpk i'm getting to it :)
doesntgolf joined the channel
#
@WendyandCharles ReadersGazette: BLOG Indie Author Answers by Jim Heskett http://www.thejugglingauthor.com/indieauth/ Get help writing your book #bookbloggers 70 (twitter.com/_/status/775426321883230208)
bear, miklb, j4y_funabashi, tantek and cweiske joined the channel
#
cweiske is there an open source micropub endpoint that supports delete queries?
#
cweiske known doesn't
#
www.boffosocko.com edited /read (+1359) "emoji for reading indicators" (view diff)
cweiske joined the channel
#
cweiske !tell aaronpk should micropub's "4.1.3 New Article with HTML" state that content[html] does not contain a full HTML document (with html, head and body tags) but a fragment only?
#
Loqi Ok, I'll tell them that when I see them next
#
cweiske s/them/him/
#
tantek cweiske: huh, that them/him response from Loqi was odd as I thought Loqi knew better than that. Perhaps this version of Loqi lacks access to the pronoun preferences file or something.
#
Loqi says something.
#
cweiske we'll never know
kants_, AngeloGladding, rascul, KevinMarks__, cweiske, Zegnat, tommorris, kline, tonious, sknebel, myfreeweb, singpolyma, rhiaro, bnvk_, ben_thatmustbeme, tantek, bear, GWG, petermolnar, plindner, j4y_funabashi, cmal, aaronpk, bret, voxpelli and gRegorLove joined the channel
#
tantek !tell cweiske thanks for the ping on https://github.com/w3c/Micropub/issues/48 - followed up on that and the related h-entry issue with hopefully a sufficient explanation. Likely worthy of an FAQ.
#
Loqi Ok, I'll tell them that when I see them next
#
www.funwhilelost.com edited /User:Www.funwhilelost.com (+187) "/* Andrew Jacobs */" (view diff)
#
gRegorLove Was anyone running queries against micropub endpoints today, about 8:50AM Pacific? I got a log (and found a bug)
#
gRegorLove Hoping it was someone here
#
sknebel gRegorLove: aaronpk did so ~5.30 hours ago
#
sknebel (to lazy to look conversion up, sorry ;))
#
gRegorLove Cool. Thanks
#
gRegorLove What's the preferred micropub response to ?q= if it's not supported?
j4y_funabashi and aaronpk joined the channel
#
aaronpk gRegorLove: I just added some things to the editor's draft about that
#
Loqi aaronpk: cweiske left you a message 2 hours, 32 minutes ago: should micropub's "4.1.3 New Article with HTML" state that content[html] does not contain a full HTML document (with html, head and body tags) but a fragment only?
#
gRegorLove aaronpk: Thanks, I'll read up on it.
#
gRegorLove My logging is incomplete; did you just query with ?q=q or send an access token?
#
aaronpk With an access token and q=config then q=syndicate-to
#
aaronpk tho for a few people I think I didn't include an access token the first time
#
AngeloGladding hey aaronpk -- wondering if rel=pgpkey support was removed from IndieAuth or if I'm doing something wrong
#
aaronpk Still works!
#
AngeloGladding /security/pgp/keys/133D0563643FADBF.asc
#
AngeloGladding This is not a supported authentication provider.
#
AngeloGladding that's one of my IndieAuth bullet points after a re-scan
#
AngeloGladding it has a `rel="me pgpkey"`
#
AngeloGladding tried `.pub` and `.pgp`
#
AngeloGladding oh it isn't currently fetchable..
#
AngeloGladding that's probably going to be it
#
AngeloGladding and of course that was it!
#
AngeloGladding sorry to bother
#
AngeloGladding *works beautifully*
#
loqi.me created /nofollow (+210) "prompted by gRegorLove and dfn added by KevinMarks__" (view diff)
#
loqi.me created /no-follow (+21) "prompted by KartikPrabhu and dfn added by gRegorLove" (view diff)
#
loqi.me created /rel-nofollow (+21) "prompted by gRegorLove and dfn added by gRegorLove" (view diff)
#
loqi.me edited /nofollow (+61) "/* See Also */ new section" (view diff)
#
loqi.me edited /nofollow (+41) "KevinMarks__ added "http://microformats.org/wiki/votelinks" to "See Also"" (view diff)
thebaer and tantek joined the channel