#dev 2020-12-17

2020-12-17 UTC
[eddie], [snarfed], [tantek], NinjaTrappeur, djmoch, petermolnar, voxpelli, genehack, danyao, mattl, MylesBraithwaite, shrysr, sebsel, geoffo, ShadowKyogre, shoesNsocks, [schmarty], hirusi, [Kevin_Faaborg], gxt, schmudde, jeremycherfas, [jgmac1106] and [KevinMarks] joined the channel; ShadowKyogre left the channel
jeremycherfas, [Murray], [Ana_Rodrigues], [jgmac1106], hirusi, geoffo, schmudde, jolvera, [chrisaldrich], [tw2113_Slack_], [snarfed], sp1ff, gxt, swentel, KartikPrabhu, nickodd, [pfefferle], shoesNsocks, shoesNsocks1 and [chrisaldrich]1 joined the channel; nickodd left the channel
#
[snarfed]
hey aaronpk did you think much about how to secure your OYG browser extension? i’m struggling with that for bridgy’s
#
[snarfed]
maybe doesn’t matter for you if yous is self-contained. bridgy’s won’t be, though, and i haven’t yet figured out how to prevent people from going under the covers and fabricating arbitrary responses
#
[snarfed]
wondering if i can reuse ideas from PKCE, but not sure how yet
[schmarty] joined the channel
#
[snarfed]
specifically, if the browser extension just fetches from IG and passes the fetched HTML/JSON on to Bridgy, the attack is to forge that IG HTML/JSON and send it directly to Bridgy
#
[snarfed]
i thought about trust on first use, ie give the client a token when they first send an IG profile to create a Bridgy account, but that’s just as easily forged
#
[snarfed]
the only reasonable defense i’ve come up with is to IndieAuth the user, check for bidirectional rel-me on IG, and then include the IndieAuth token in every request. ugh
#
aaronpk
oh huh, yeah i don't have that problem on mine because the user has to indieauth first anyway in order for the extension to be able to send the micropub request
#
[snarfed]
ok, so you don’t really care about validating the contents since they can only post to their own site
#
[snarfed]
sigh ok. lmk if you have any thoughts
#
aaronpk
yeah the worst someone can do is make the extension send stuff to their own website in my case
#
aaronpk
in your case I'd expect something similar, where the worst they could do is make bridgy send a webmention to their own site, but not to other sites
#
[snarfed]
ideally yes
#
aaronpk
do you make them sign in with anything on bridgy to set it up?
#
[snarfed]
technically bridgy already has a u-url that’s off domain, so the spoofing threat is no greater than spoofing directly on their own server, but in practice i think a bunch of people semi special case bridgy
#
[snarfed]
not yet, still deep in development. was hoping to avoid it, but based on this, i’ll probably have to
#
aaronpk
i guess even aside from the extension details, you'd probably want to avoid someone being able to set up webmentions for someone else's instagram account to arbitrary websites
#
[snarfed]
maybe. all of this “spoofing” via u-url is doable now independent of bridgy, but bridgy should hold higher standard due to its reputation
#
aaronpk
sorta, i think it's more about making sure bridgy can't be used to attack arbitrary websites
[tantek] joined the channel
#
[snarfed]
right, due to its current level of trust. since if the “attack” is just fabricating arbitrary responses with external u-urls on instagram.com, anyone can do that directly, without bridgy
[Rose], [KevinMarks], shoesNsocks, schmudde, [tw2113_Slack_] and [Raphael_Luckom] joined the channel
#
@kkd
WebmentionやMicropubに対応するWikiがほしい。Scrapbox対応してくれないだろうか?FedWikiにそういうプラグインつくってみようかな。。。その前にFedWikiちゃんと使わないといけないけど。 #indieweb
(twitter.com/_/status/1339709822682472448)
[chrisaldrich] joined the channel