#dev 2016-09-13

2016-09-13 UTC
#
GWG
How do you build trust?
#
gRegorLove
petermolnar: I'm interested to learn more about the reflection attach you mentioned. Not sure I understand.
#
gRegorLove
In my implementation, if you send vouch=C and the domain of C isn't in my approved vouches list, it's rejected without crawling any other domains.
#
gRegorLove
The list of approved vouch domains can be updated manually, but also parses from a "following" page, e.g. http://gregorlove.com/following/
#
gRegorLove
You can point the plugin to any "following" page and it parses the URLs from the h-cards, so in theory could point it to some shared list
#
cmal
interesting
#
gRegorLove
s/attach/attack/
#
cmal
from what I remember a reflection attack to be, I think that was not the appropriate term for what petermolnar was describing
#
gRegorLove
(This is also when "require vouch" option is on. It's not on at the moment for my site.)
#
cmal
I think the discussion was more centered around vouching authenticity and potential DDOS (where the "reflection" would be that two parties are affected by a webmention vouch DDOS, not just one)
#
cmal
gRegorLove: is your vouch-matching library free software?
#
gRegorLove
It's part of the ProcessWire Webmention plugin, not a standalone library. I based it on ben_thatmustbeme's open source code.
#
cmal
GWG: yeah the problem isn't that it's not perfect, but that it barely tries in the specs themselves. That doesn't mean it's not a good enough basis to do something with contacts management like gRegorLove suggested
doesntgolf joined the channel
#
gRegorLove
barely tries? I don't follow
#
GWG
I was thinking of doing it that way.
#
cmal
GWG: then it makes a lot of sense ^^
#
GWG
The following list. It works out as more of a whitelist.
#
cmal
gRegorLove: I don't recall the vouch protocol encouraging to deploy friends lists, from what I remember in the wiki it's mostly "yeah a link on a web page is good enough, but sure if you really wanna be paranoid you can do more"
#
gRegorLove
I think /Vouch purposefully doesn't lay out exactly how you decide if a vouch URL is valid or not. Many approaches to it. https://indieweb.org/Vouch#How_do_I_verify_a_vouch
#
gRegorLove
Double check the FAQs on there; I think it addresses most things, but we can certainly add new ones.
#
cmal
gRegorLove: yes I'm not saying it doesn't, I'm just saying it's considered to be a side-issue and not a core issue of the debate
#
@kwlug
And now @andrew_s_cant demonstrates the principles of #webmentions, used in blog comments, for example
(twitter.com/_/status/775487402110574592)
#
cmal
still out of curiosity, apart from XFN and ActivityPub following/followers is there another proposal?
#
cmal
I notice you're just using plain h-cards on your following list?
#
@kwlug
And now @andrew_s_cant demonstrates the principles of #webmentions, used in blog comments, for example
(twitter.com/_/status/775488416918142976)
#
cmal
I mean, how can the webmention target verify the vouch if it doesn't know what format it's gonna be in (h-cards in XML or JSON, XFN, AS2 JSON) ?
#
gRegorLove
"verify the vouch" means a) Does the vouch URL link to the source domain, as the webmention sender claims.
#
gRegorLove
b) Do I trust the vouch URL?
#
gRegorLove
Doesn't require parsing a specific format.
#
cmal
yeah okay so we're back to having trust in a simple link :-/
#
gRegorLove
I don't understand the problem
#
gRegorLove
I think https://indieweb.org/spam#Spam_Prevention is the main other place on the wiki discussing other anti-spam options in general
#
ben_thatmustbeme
yay, more vouch
#
gRegorLove
But /Vouch has been the main proposal/implementation specific to webmention.
#
cmal
so for instance if your webmention endpoint is open (no vouching) as it is, I can just send you a comment that's going to be displayed on your site with a link to a third site under my control ; from there, I can send spammy spam to all people trusting you to vouch people by just linking to the article I commented on?
#
GWG
I just don't know how I would build a Vouch list.
#
gRegorLove
Re: XFN, for me I don't use it because I haven't seen a use-case for consuming it. My "following" page is primarily for internal purposes: my plugin parses h-cards for the whitelist.
#
cmal
ben_thatmustbeme: sorry, recurring topic when people have somewhat big infras (10s of thousands of users) and a lot of spam-related trouble :D
#
GWG
I need to figure out an implementation works for my platform.
#
cmal
GWG: I guess it depends on many things: mostly platform settings (what the techs you're building your site with allow you to do) and user settings (whether you want to vouch for everyone you follow, everyone with whom you have a mutual following relationship, only a whitelist, etc…)
#
GWG
cmal, I have to think about the bigger picture. WordPress
#
ben_thatmustbeme
cmal recarding what you said, "i can just send spammy spam to all people trusting you to vouch people" thats not always a published list. I publish it, but I don't know that anyone else does.
#
GWG
I can extend it, but I need something basic for everyone
#
cmal
gRegorLove: well XFN is too broad and vague for this purpose. who cares if two people are married, friends, acquaintances or coworkers, we just want to know if they should be allowed to send you messages :-P
#
gRegorLove
Heh, yeah
#
ben_thatmustbeme
also true, xfn is modeling much more than is needed for indieweb's use's
#
cmal
and if you're just using following lists, you're basically building a PR pyramid where most-read people can reach out to even more people by getting vouched for effortless
#
cmal
(the free-software equivalent of buying "promoted posts" on silos :D)
#
gRegorLove
cmal: Thinking through your example, it's valid. I don't know how one would get a list of "all the people trusting [gregorlove.com] to vouch", though. Presumably if they started seeing a lot of spam get through with my domain as a vouch, they'd remove my domain as a vouch.
#
gRegorLove
Which is some moderation work on their part, yes, but (I think?) less than moderating un-vouched spam.
#
cmal
gRegorLove: I agree, it's not the biggest vector ever, still it's a vector for DDOS as such a case is considered valid until, as you say, somebody notices
#
cmal
sure, the problem is more that such a process can be fully automated and target pretty much anyone until websites overload and you get weird behaviours that open new attack vectors
#
cmal
so you have to consider it outside if a single isolated website, but as a flaw potentially traversing a whole network of websites (the vouch federation)
#
cmal
ben_thatmustbeme: it doesn't have to be public, first because automatic spam (think nmap plugin), and second because one can look at your public interactions with other people to figure that one out
#
cmal
like if I reshared publicly a post of yours on two different days, there's a slight possibility that I follow you somehow, or follow someone who follows you
#
ben_thatmustbeme
yes, but its still a huge improvement on open webmentions, it significantly increases the difficulty of attacks,(you can to scan websites for all interactions) and even then you may not get anywhere as not everyone will accept vouches and will moderate
#
cmal
again, for such a small community mapping out all the social graph and all the interactions between everyone is probably just a couple hours of spidering / graph processing away (which is a very low entry price)
#
gRegorLove
Vouch is less of a vector for DDOS than without Vouch, right? Am I missing something?
#
ben_thatmustbeme
also, following and accepting vouches from are two VERY different things
#
cmal
ben_thatmustbeme + gRegorLove : sure, not criticizing the step forward already taken, just trying to look ahead ;-)
#
cmal
ben_thatmustbeme +1
#
gRegorLove
I didn't take it as criticism, just trying to better understand :)
#
ben_thatmustbeme
i just like debating
#
gRegorLove
No you don't
#
ben_thatmustbeme
"Look I was looking for an argument" "OH, this is abuse! Arguments is down the hall"
#
cmal
finds it way more useful to debate around vouching and opsec than about "OH MY GOD BURKINIS? ARE THESE WOMEN PEOPLE? CAN MUSLIMS BE FRENCH?", just sayin'
#
ben_thatmustbeme
Anyway, it is true that if someone comments on aaron's site and he displays it, they would be able to automatically get a spam post on my site as well. but I would later notice the spam, delete it, and then look at where the vouch came from
#
ben_thatmustbeme
it offers me an obvious recourse on how to stop that. "I can't trust aaron to not have spam, so i guess he's off my whitelist for now"
#
cmal
… which is good on an individual cases, but does not help if I do this with all the open-webmention websites that I find (which is going to be a lot, probably even years from now)
#
ben_thatmustbeme
I'm willing to bet a lot of sites will get moderation by default pretty quickly after the first attack though
#
cmal
ben_thatmustbeme: don't say this, you're going to make me want to write a proof-of-concept <3
#
gRegorLove
Part of the reason we're working on and thinking about Vouch now is that it's solid when Webmention is more widely supported.
#
gRegorLove
So it's not an "off-by-default" thing
#
gRegorLove
It's only off-by-default in my ProcessWire plugin because I know of 3 sites using vouch :)
#
gRegorLove
I think a WordPress plugin should definitely be on-by-default
#
cmal
mapping the IndieWeb social graph, identifying open webmention endpoints, just having one meaningful (hence inoffensive-looking) comment there (or just a reshare, as it would usually be enough to get a link to my site)… with a proper VM I'm sure this script could run throughout the whole Indieweb in a matter of hours
#
ben_thatmustbeme
well there are thousands and thousands of known installs that don't connect to each other
#
ben_thatmustbeme
so i don't think anyone could ever get the "whole indieweb"
#
ben_thatmustbeme
if you mean the core group, i'll save you time https://indieweb.org/irc-people
#
cmal
ben_thatmustbeme: not the exact whole of it, but I'm almost sure (although no calculation will be possible) that somehow one node in the network will always act as a gateway between communities
#
gRegorLove
Yeah, no comments needed, just add yourself there :)
#
gRegorLove
pre-emptively blacklists cmal.
#
ben_thatmustbeme
(although i don't accept indieweb.org as a whitelist vouch)
#
cmal
ben_thatmustbeme: you were saying earlier following and vouching should be decoupled
#
ben_thatmustbeme
tries to remember who used the "anonymous" post site
#
cmal
what do you think about what I proposed earlier to then have user-settings for vouching?
#
gRegorLove
cweiske?
#
ben_thatmustbeme
ended up removing the comment because of it
#
cmal
commentpara.de?
#
ben_thatmustbeme
oh, and there is one other thing, no comments on my site will act as a vouch
#
ben_thatmustbeme
i tag them all rel=nofollow
#
ben_thatmustbeme
its only if I actually reply to the commentor that they can use me as a springboard for spamming the network
#
cmal
smart
#
ben_thatmustbeme
i believe many others do as well
#
cmal
yeah it's specified on /Vouch, but is only mentioned once (without explanation, on step 6 of "Vouch selection")
#
cmal
(at least that I could find)
#
ben_thatmustbeme
feel free to expand on the reason for it
#
cmal
will do :)
#
cmal
I'm actually taking a lot of notes regarding such issues (authentication, encryption, vouching) to try and summarize the current state of the art
#
cmal
yeah because I think the current protocols are not that far from something really cool, we just need to piece it all together, and make everything very explicit (like this nofollow thing for instance which should be a big warning sign :D)
#
gRegorLove
I seem to recall tantek making a case against using nofollow on links, but I don't remember exactly what they were.
#
cmal
I think aaronpk the other day was proposing PGP-signed webmention payloads for 1-round webmentions, but someone today figured it could be a huge factor for DDOS (as verifying authenticity requires lots of math)
#
cmal
so I don't know, there's always going to be some trade-offs, I guess :D
#
ben_thatmustbeme
tantek was making that case i believe yes. rel=nofollow has been pretty much pointless in practice
#
gRegorLove
Do you send/receive webmentions currently cmal, or waiting to work through these issues?
#
ben_thatmustbeme
it would really just be repurposing something that has not been too useful
#
gRegorLove
Just double-checked and mine won't accept a nofollow link as a vouch either.
#
cmal
gRegorLove: not on cmal.info anymore (just migrated after an unfortunate unpaid bill), but I have an account on a Known on social.unixcorn.org :)
#
gRegorLove
Hah, unixcorn. Love it.
#
cmal
yeah, pretty name for a pretty project :D
#
cmal
it's a free-price hosting cooperative, still very new and small, also the blog is not really finished yet (almost finished to implement on https://nimportequoi.unixcorn.org , microformats2 are not everywhere just yet)
#
ben_thatmustbeme
woo, i think all the functionality of my new app is done, well, i should probably retest posting from it
#
ben_thatmustbeme
but then its just a TON of UI work to do
#
cmal
yay ~o~
#
cmal
micropub stuff?
#
ben_thatmustbeme
replacing mobilepub
#
ben_thatmustbeme
success. but not for categories
#
ben_thatmustbeme
oh, duh, my website was using category as a comma sepperated list.... good thing i can change that in the configs on the new app
#
ben_thatmustbeme
i went a bit overboard in configs
#
ben_thatmustbeme
OH, i'm still missing one part functionality wise
#
ben_thatmustbeme
adding new fields
#
cmal
anyway, I'm off or the night, thanks for the discussion ben_thatmustbeme and see you around :)
#
GWG
ben_thatmustbeme: Do you still use php-comments?
#
ben_thatmustbeme
GWG. Yes though I believe I made a few modifications for my setup. Been a while since one touched that code
#
GWG
ben_thatmustbeme: I'd like to see some of your changes merged.
#
GWG
Like the syndication one.
tantek, KevinMarks_, AngeloGladding, KevinMarks, KevinMarks__, cweiske and loicm_ joined the channel
#
KevinMarks__
Zegnat - what language are you implementing in?
#
Zegnat
Vanilla JavaScript, it is a WebExtension afterall. Hopefully compatible with Chrome/Opera/Firefox without code differences.
#
Zegnat
I think I need Promise.all() to have the fetches all run asynchronously, but (I think) that means I have to wrap them all. If a fetch rejects then Promise.all() will stop.
#
KevinMarks__
Ah right, I wasn't sure if you were making something server side
#
Zegnat
No, I would like to keep it all contained to the browser, no dependencies.
#
KevinMarks__
I don't know the fetch api well enough to advise. Does it let you get called back on 301/302?
#
Zegnat
Currently I parse the current tab for rel-me links, I then asynchronously fetch every page linked to with those, then I simply parse the returned HTML for rel-me links again and do a string compare on it.
#
Zegnat
I believe fetch simply resolves 301/302, much like standard XHR does.
#
Zegnat
On http://epeus.blogspot.com/ the extension finds 3 rel-me links. It will then have to do a fetch for each one to resolve it. And somehow I would like to exit that process as soon as one of them resolved to the URL I am looking for (ie. http://www.kevinmarks.com/)
#
KevinMarks__
Reading docs, there is a manual redirect mode, which is on by default in chrome now.
#
KevinMarks__
The spec says request has a url list of the redirected ones
#
Zegnat
But I am not sure how I would do that. Promise.all() would let me run all 3 fetches and then handle the result once all 3 are done, but that sounds sub-optimal and may result in more fetches than needed.
#
Zegnat
Yeah, I don't think fetch is going to be the problem. Me wrapping my head around this Promise-chaining-thing, that is where I am stuck ;)
#
cweiske
what is a reply?
#
Loqi
A reply (or comment) is a kind of post that is a text (typically, though photos are possible too) response to some other post, that makes little or no sense without reading or at least knowing the context of the source post https://indieweb.org/reply
#
cweiske
what is a reply?
#
Loqi
A reply (or comment) is a kind of post that is a text (typically, though photos are possible too) response to some other post, that makes little or no sense without reading or at least knowing the context of the source post https://indieweb.org/reply
#
cweiske.de
created /Category:PostType (+58) "Created page with "Types of posts that [[Micropub]] and/or software supports.""
(view diff)
#
KevinMarks__
If you have a list of promises, can't you cancel the incomplete ones?
#
cweiske.de
edited /posts (-109) "/* See Also */"
(view diff)
cmal joined the channel
#
Zegnat
KevinMarks__: Promises cannot be cancelled, no. Neither can fetch.
#
GWG
Morning
#
Loqi
*yawn*
#
Zegnat
Hello GWG :)
#
GWG
Any excitement?
#
Zegnat
Not here. Was doing some more WebExtensions work and learning about fetch API. But got stuck.
#
GWG
I usually put something aside for a bit when that happens
#
petermolnar
right. I recreated my formerly PHP standalone webmention receiver in python with background processes for parsing - I should have switched languages for this a _long_ while ago
#
petermolnar
I don't need queues this way
#
petermolnar
but I'm really not going to show this yet, my Python is caveman style for now :D
#
GWG
petermolnar, good luck
#
GWG
petermolnar, I still would like someone to write a receiver that can easily be installed that can send the parsed webmention to any system.
#
GWG
I would like something in php though, since that is what I am using right now.
#
cweiske
you'd only need a micropub endpoint for that
#
cweiske
if that would exist
#
GWG
Yes
#
cweiske
webmention.io could do that, sending comments via micropub to one's blog
#
GWG
cweiske, I want to host my own.
#
cweiske
me too
#
cweiske
basically the micropub request would be a "normal" request and would only need to contain an additional field "comment-of" with the url
#
aaronpk
don't we already have that with "in-reply-to"?
#
aaronpk
the comment needs to specify its own URL, so the micropub request would also include the "url" property which normally isn't part of the request
#
KevinMarks__
Zegnat, having read lots of discussion about fetch and cancellable promises, I see what you mean. I'd suggest that you don't put them all in flight at once, but start the next fetch once the first has completed so you don't use up all the client's http resources.
#
KevinMarks__
Also, given you only want the redirect chain, see if you can use HEAD first as that should let you resolve the redirects without fetching data
#
voxpelli
aaronpk: on Micropub feedback – have anyone looked at or discussed the https://github.com/w3c/Micropub/issues/33 ?
singpolyma joined the channel
#
aaronpk
i'm getting to it :)
doesntgolf joined the channel
#
@WendyandCharles
ReadersGazette: BLOG Indie Author Answers by Jim Heskett http://www.thejugglingauthor.com/indieauth/ Get help writing your book #bookbloggers 70
(twitter.com/_/status/775426321883230208)
bear, miklb, j4y_funabashi, tantek and cweiske joined the channel
#
cweiske
is there an open source micropub endpoint that supports delete queries?
#
cweiske
known doesn't
#
www.boffosocko.com
edited /read (+1359) "emoji for reading indicators"
(view diff)
cweiske joined the channel
#
cweiske
!tell aaronpk should micropub's "4.1.3 New Article with HTML" state that content[html] does not contain a full HTML document (with html, head and body tags) but a fragment only?
#
Loqi
Ok, I'll tell them that when I see them next
#
cweiske
s/them/him/
#
tantek
cweiske: huh, that them/him response from Loqi was odd as I thought Loqi knew better than that. Perhaps this version of Loqi lacks access to the pronoun preferences file or something.
#
Loqi
says something.
#
cweiske
we'll never know
kants_, AngeloGladding, rascul, KevinMarks__, cweiske, Zegnat, tommorris, kline, tonious, sknebel, myfreeweb, singpolyma, rhiaro, bnvk_, ben_thatmustbeme, tantek, bear, GWG, petermolnar, plindner, j4y_funabashi, cmal, aaronpk, bret, voxpelli and gRegorLove joined the channel
#
tantek
!tell cweiske thanks for the ping on https://github.com/w3c/Micropub/issues/48 - followed up on that and the related h-entry issue with hopefully a sufficient explanation. Likely worthy of an FAQ.
#
Loqi
Ok, I'll tell them that when I see them next
#
www.funwhilelost.com
edited /User:Www.funwhilelost.com (+187) "/* Andrew Jacobs */"
(view diff)
#
gRegorLove
Was anyone running queries against micropub endpoints today, about 8:50AM Pacific? I got a log (and found a bug)
#
gRegorLove
Hoping it was someone here
#
sknebel
gRegorLove: aaronpk did so ~5.30 hours ago
#
sknebel
(to lazy to look conversion up, sorry ;))
#
gRegorLove
Cool. Thanks
#
gRegorLove
What's the preferred micropub response to ?q= if it's not supported?
j4y_funabashi and aaronpk joined the channel
#
aaronpk
gRegorLove: I just added some things to the editor's draft about that
#
Loqi
aaronpk: cweiske left you a message 2 hours, 32 minutes ago: should micropub's "4.1.3 New Article with HTML" state that content[html] does not contain a full HTML document (with html, head and body tags) but a fragment only?
#
gRegorLove
aaronpk: Thanks, I'll read up on it.
#
gRegorLove
My logging is incomplete; did you just query with ?q=q or send an access token?
#
aaronpk
With an access token and q=config then q=syndicate-to
#
aaronpk
tho for a few people I think I didn't include an access token the first time
#
AngeloGladding
hey aaronpk -- wondering if rel=pgpkey support was removed from IndieAuth or if I'm doing something wrong
#
aaronpk
Still works!
#
AngeloGladding
This is not a supported authentication provider.
#
AngeloGladding
that's one of my IndieAuth bullet points after a re-scan
#
AngeloGladding
it has a `rel="me pgpkey"`
#
AngeloGladding
tried `.pub` and `.pgp`
#
AngeloGladding
oh it isn't currently fetchable..
#
AngeloGladding
that's probably going to be it
#
AngeloGladding
and of course that was it!
#
AngeloGladding
sorry to bother
#
AngeloGladding
*works beautifully*
#
loqi.me
created /nofollow (+210) "prompted by gRegorLove and dfn added by KevinMarks__"
(view diff)
#
loqi.me
created /no-follow (+21) "prompted by KartikPrabhu and dfn added by gRegorLove"
(view diff)
#
loqi.me
created /rel-nofollow (+21) "prompted by gRegorLove and dfn added by gRegorLove"
(view diff)
#
loqi.me
edited /nofollow (+61) "/* See Also */ new section"
(view diff)
#
loqi.me
edited /nofollow (+41) "KevinMarks__ added "http://microformats.org/wiki/votelinks" to "See Also""
(view diff)
thebaer and tantek joined the channel