#dev 2022-01-02
2022-01-02 UTC
prologic joined the channel
# 
prologic [10:03:23] <prologic> How do you guys deal with your web mention endpoints being abused by bad actors that might just spam it?
# prologic [10:03:40] <prologic> Or even attack it to cripple your endpoint
# 
[chrisaldrich] prologic, I know the WordPress plugin has the ability to "approve and always allow" comments from particular trusted domains, otherwise I mostly rely on Aksimet spam to do a bulk filter on incoming comments.
# prologic Yeah okay so a human approval system
# prologic My point was it's pretty much an open attack vecgor
# prologic vector*
# [chrisaldrich] Not sure if anyone has seen major incoming spam other than maybe larger processors like webmention.io and brid.gy though I'm not sure what, if any methods they may use for repeated abuse.
# prologic Yeah the reason I'm brining this up is I'm reconsidering fixing webventions in yarnd (the software behind yarn.social)
# prologic It's broken atm (has been for a while) :/
# [chrisaldrich] It is a vector in some sense, but it also requires some work on the sender to put up a web page to do it. I don't think there's been much abuse or spam in the wild yet.
# [chrisaldrich] what is spam?
# 
Loqi spam is unsolicited content, often transmitted via email, submitted as blog comments or posted to popular wikis https://indieweb.org/spam
# prologic Well I'm not necessarily just referring to spam here right
# prologic Basically any bad actors and any abuse of the endpoint(s)
# prologic Hit hitting it hard, DDoS it, spamming it with crap, etc
# [chrisaldrich] That page has the only documentation on webmention spam I think we've seen: https://indieweb.org/spam#Webmention
# prologic kk
# [chrisaldrich] [snarfed] may be able to describe what he's done in the past with accidental abusers resending thousands of webmentions on a regular basis, though these are usually cases where static site rebuilds are accidentally reprocessing every webemention they've ever sent.
# [chrisaldrich] others may have ideas and bits of anecdotal history as well.
# prologic It's probably quite niche/small too I guess, so not something that attracts a lot of attention? 🤔
# [chrisaldrich] That's a possibility, but who would want to create hundreds of thousands of pages on the web to force an endpoint to process them all? Even if you had just one page and kept resending, I'm not sure how much damage that would do as most receivers may not reprocess each request unless there's an update. I haven't looked at the spec in a looong time.
# [chrisaldrich] I'm sure that people have resent me webmentions or even updates, but because of the WordPress plugin design, I'm not really seeing updates for each and every one of them.
# edgeduchess[d] prologic: isn't the "niche/small" only going to be true as long as the protocol doesn't reach popularity?
# edgeduchess[d] if one can get the indieweb to grow, i would expect people to exploit any type of weakness like this more often
# prologic What'a ya point? :)
# edgeduchess[d] mostly just that if this is actually a problem, the fact that it's niche/small doesn't mean it should be handwaved away
# prologic Oh no that wasn't what I was implying :)
# edgeduchess[d] oh sorry if i misread
# prologic Anyway I'm just reconsidering whether I revive our broken webventions endpoint handling
# prologic So no worries 👌
# [chrisaldrich] The spec does have some differences from the prior pingbacks and trackbacks which made spam a much easier thing to accomplish.
KartikPrabhu, darkkirb and nertzy joined the channel
# prologic I think my use-case is a little different, originally I used webventions as a way to do cross-pod (for Yarn.social) mentions -- I also supported regular "Web" mentions as well, but in limited ways
# prologic Now I'm thinking about fixing it (currently broken) and maybe using it as a "mechanism" for pods to ping each other and say "hey so and so just posted, go pull their feed if you want"
KartikPrabhu joined the channel
# prologic Hmm websub huh?
# prologic So this https://www.w3.org/TR/websub/ ?
# prologic The trouble I have is some of the IndieWeb stuff _doesn't quite_ fit my needs/use-cases in some ways
# prologic They're close, but not quite if you know what I mean
# prologic Pods already peer with one another and soon (once implemented) will likely do some kind of gossiping too
# prologic But otherwise they are primarily "pull" based
# prologic Well that's hard of the juggling act really isn't it
# prologic There are discussions of us opening up and integrating with the so-called "Fediverse" for example through ActivityPub
# prologic But here's the thing, ActivityPub as a spec is insanely over engineered and is the opposite "push" based
# prologic So I'm very reluctant to do that at all
# prologic But yeah I'll have a read of websub for sure and see how it _could_ be used between pods where you get the best of both worlds, a convergent decentralised social network, but more-or-less real-time on pods (running yarnd)
# prologic *nods* 100%
# prologic It's insane, which is why I never went that down path
# prologic yarn.social / Yarn itself (as some of you might know) is actually based on Twtxtv2 (we extended it) + HTTP
# prologic That's it
# prologic You need only to host a feed + avatar somewhere and a decent client that adheres to the specs
# prologic I _think_ the main issue I have -- hence the initial discussions around attack vectors, is the possibility of some bad actor abusing the endpoints in a way that causes pods to constantly go pull feeds
# prologic Rather than any legitimate "push/notification" from another pod
# prologic Anyway I will have a read 👌
jeremycherfas, nertzy_, alex11, Charlotteracracs and reed joined the channel
# 
[KevinMarks] another thing is that bridgy can bridge in twitter noise too, so you may need a circles of relatedness model like tantek was saying for that too
jeremycherfas joined the channel
# prologic > Bridgy connects your web site to social media. Likes, retweets, mentions, cross-posting, and more... Connect your accounts: ...
# prologic https://brid.gy/ ?
# prologic Uggh sound disgusting 😂
# prologic Maybe not hmmm what is this thing actually? 🤔
# prologic https://brid.gy/about#how
# prologic Interesting
Eddy04[d] joined the channel
kushwah_raj[d], Brutallykilled1[ and jackdaw[d] joined the channel; prologic left the channel
tetov-irc joined the channel
# juanchipro[m] hi
# juanchipro[m] Speaking of that, and now that I want to improve my website. I am against webmentions, cross-things and all that.
# juanchipro[m] I have been thinking about "Significance". I dislike pages where the comments are an endless list of webmentions and cross-links. But few meaningful comments.
# juanchipro[m] On my site I don't want to know about mentions. It's good that they exist, but I don't want to prove anything with it. IMO webmentions are good, but only to appear to be popular. But I will look for other less intrusive and more meaningful methods.
# [KevinMarks] you can choose which webmentions to show on your site - using post type discovery you could automatically ignore the likes, reposts, bookmarks and only show the notes or articles https://indieweb.org/post-type-discovery
# [KevinMarks] or you can use that to help decide which ones to show manually
barryf[d] and [jacky] joined the channel
# 
petermolnar juanchipro[m]: what if you think of them as bi-directional links and not as a popularity thing? Eg treat or show them all as "incoming link"?
# [snarfed] anyone able to help me with a CSS q? in light mode, the "Post comment" button at the bottom of my posts, eg https://snarfed.org/2022-01-01_45569 , is visible on Firefox but not on Chrome or Safari
# juanchipro[m] Hey here, I'm in a bit of a state of shock. But just a little bit of the truth. It turns out that about a month and a half ago I decided to make a clean break from my blog and my digital life. And I decided to do something indie, a digital garden specifically. And I decided to start from scratch with javascript.
# juanchipro[m] It turns out that looking at the wiki here it seems that using javascript is frowned upon.
# juanchipro[m] I did some research:
# juanchipro[m] IMO that hate is unbridled. The post is from 2016. I think things have changed. A technology is not per se bad. I understand things like accessibility and that in the past there were security breaches. But I think that should all be overcome.
# juanchipro[m] Anyway, in my case there is no turning back. I embrace the javascript god, I have no choice, ha.
# 
Zegnat juanchipro[m]: so many layers to that discussion, haha. I think many people who have contributed to the IndieWeb wiki are of the opinion that HTTP and HTML are enough to send thoughts around. If just reading text on a page depends on JS you might be excluding people from getting at your thoughts. Loads of different reasons for that, from old accessibility tools, to hardware limitations, to even just bandwidth and connection
# zerojames[d] What is progressive enhancement?
# Loqi progressive enhancement is the web development practice of building web pages, sites, apps so they are at least readable, and preferably allow for most if not all interactions, from any kind of browser, and optionally take advantage of additional capabilities (like various CSS & JS features) when available https://indieweb.org/progressive_enhancement
# zerojames[d] juanchipro[m] I have tried to build my personal services in line with the progressive enhancement principle.
# zerojames[d] Pages should work without JS enabled but if JS is enabled visitors get a few more features.
# zerojames[d] For instance, my comments don't render on my site is JS is disabled. But everything else (excluding one JS-powered page) works.
# zerojames[d] I personally think HTML and HTTP are perfect for sharing content but JS in many cases lets you make a much better UX.
# juanchipro[m] I disagree, there is no reason to disable JS other than being a conspiracist. I respect it of course but I don't agree with it. I don't want to dilate on my reasons or be tiresome, but JS is not worse than pure HTML, and of course it is much better than PHP. And for ecological reasons -Greta Thunberg seal of aproval hahaha- JS saves bandwidth.
# juanchipro[m] Finally, a Juanchi-advice, JS is not diabolical, use it if you feel like it. Being indie doesn't mean being spartan, but minimalist and eclectic, I think, I don't know.
# Zegnat Non of the reasons I gave were about having JS disabled. I totally agree that it is completely feasible to not expect JS disabled browsers. But there are a tonne of reasons why JS fails otherwise. It used to fail for me a lot travelling around in rural Sweden. Not because I wanted to save bandwidth, but simply because bandwidth was not available. I would lose mobile internet connection randomly. Browsers are very good at loading HTML,
# 
@jamesravey Spent some time today implementing webmention support on my website. Likes/retweets/reboosts and tweets/toots show up as comments on my page now as well as “standard” replies/comments from other blogs (https://brainsteam.co.uk/notes/2022/01/02/1641143719/) (twitter.com/_/status/1477691646275997697)
vilhalmer joined the channel
# juanchipro[m] Well, I'm not going to convince anyone. My website is 100% pure javascript and I'm happy. It is super interactive. I don't want to go back to PHP+MySQL "hell". I just hope people don't disable javascript just because.
# zerojames[d] There is no need to convince anyone 🙂
# zerojames[d] What is JS;dr?
# Loqi js;dr is JavaScript required; Didn’t Read https://indieweb.org/js;dr
# zerojames[d] JS can cause trouble with archiving but I do wonder how modern headless browsers fare with JS now.
# zerojames[d] Many sites use tools like Next.JS and create an amazing UX thanks to the rich ecosystem of components.
# zerojames[d] Just as an example.
# juanchipro[m] > if you use JS on the frontend also has nothing to do with PHP+MySQL or not...
# juanchipro[m] I have fullstack. React + Express.Well, everything. Minimalist page though. But it's super fast. I don't mind if DuckDuck doesn't read it. Google does. And Google commands a lot, yes, sir.
# juanchipro[m] Javascript is super difficult. Master level. but if you can master it, you'll reach the sky.
# juanchipro[m] I don't care about the Archive.org. I am nobody important. In fact, I'm a little shit. After 100 years we will all end up in a mass grave and forgotten (I read that somewhere). My motto is to enjoy the now, the moment.
vj-- and KartikPrabhu joined the channel
# juanchipro[m] I think I will implement these comments: https://diederik-mathijs.medium.com/create-a-comment-system-using-1-react-hook-4169ba8f4d6a
# juanchipro[m] Not to be displayed by default. And to be entered simply. A single line and ENTER.
# juanchipro[m] And a button to delete unusable data. No author, if someone wants to identify himself/herself, in the body of the message. The date is stored by default. The creation date is important.
# juanchipro[m] "Significance" is the key. And minimalism.
# juanchipro[m] What I find horrendous is Disqus. I mean for an authentic indie site. It's Javascript. My site is JS of course, they would match well. But it's not OS, it has ads, your data doesn't belong to it and above all I feel that on the sites where it's used, it feels strange; it's like a weird sticky on the page. In my browser I see the small letters. It doesn't fit well with the blog templates. I don't know, but discarded.
# juanchipro[m] s/What I find horrendous is Disqus. I mean for an authentic indie site. It's Javascript. My site is JS of course, they would match well. But it's not OS, it has ads, your data doesn't belong to it and above all I feel that on the sites where it's used, it feels strange; it's like a weird sticky on the page. In my browser I see the small letters. It doesn't fit well with the blog templates. I don't know, but discarded./What I find
# juanchipro[m] horrendous is Disqus. I mean for an authentic indie site. It's Javascript. My site is JS of course, they would match well. But it's not OS, it has ads, your data doesn't belong to your own and above all I feel that on the sites where it's used, it feels strange; it's like a weird sticky on the page. In my browser I see the small letters. It doesn't fit well with the blog templates. I don't know, but discarded./
KartikPrabhu joined the channel
# 
@aswath ↩️ I am happy to note that they auth your email. It would have been much better if they auth your URL using indieauth. Then we could do "social" as well. (twitter.com/_/status/1477708035627884557)
# Zegnat Seems like a perfectly fine choice for your own site, juanchipro[m] :) Like I said, just know your audience. And seems like you have already thought about that if you know not all search indexing and archiving bots will work. Probably other indieweb/federation tech that will not work either, unless you are able to still push some JSONDL/link-elements without JS when the HTTP request comes in. Very few HTTP tools will run JS to
alex11 joined the channel
# [snarfed] hrm, maybe. docs on media query operators show that `not` is right: https://developer.mozilla.org/en-US/docs/Web/CSS/@media#logical_operators
[jacky]1, saptaks_znc, nertzy__, ^ilhalmer, _jackdaw[d], angelo_, feoh, stevestreza_, kloenk, tetov-irc2, vj--_, alex__, bneil2, [chrisaldrich]3, jjuran_, [jacky]2, nertzy, jackdaw[d], rrix_, lagash_, ben_thatmust, vilhalmer, joshproehl___, doosboox, jeremycherfas, saptaks, sp1ff, GWG and darkkirb joined the channel
# petermolnar > I disagree, there is no reason to disable JS other than being a conspiracist. - yes, there is, as long as sites load JS code that is longer, than War and Peace.
# petermolnar juanchipro[m]: JS on server side is fine, but if there is no HTML sent over the wire, tools like wget, curl, etc won't be able to deal with it.
justIrresolute and superkuh joined the channel
# petermolnar and that is not just archive.org, but a LOT of tools
# petermolnar so then the question does indeed boils down to what Zegnat said: know your audience
jjuran, IWSlackGateway, jamietanna[m], rommudoh[m], tetov-irc, vilhalmer, juanchipro[m], doubleloop[m], npd[m], Charlotteracracs, micahrl[m], hala-bala[m], benatkin, tomleo[m], astralbijection[, reed, Darius_Dunlap[d], vikanezrimaya, binyamin[m], PeterMolnar[m], Abhas[m], Lohn, EvanBoehs[m], unrelentingtech, LaBcasse[m], samwilson, alex11, diegov, mambang[m] and nekr0z joined the channel
# edgeduchess[d] getting to the discussion late, but my personal take is that it can make sense to go "JS-only" in the short term, but if you do have time or want to do something that's stable long-term working towards not needing JS makes sense and it will eventually lead to a better experience for your users
rommudoh[m], reed, Abhas[m], benatkin, samwilson, hala-bala[m], doubleloop[m], vikanezrimaya, Lohn, diegov, mambang[m], binyamin[m], unrelentingtech, jamietanna[m] and astralbijection[ joined the channel
# edgeduchess[d] but it's also totally fine to decide no-JS gets e.g. a read-only experience
# edgeduchess[d] but also generally the tools going around are more and more leaning towards SSR and executing at the edge and all that stuff and while this further complicates the stack it points at everyone seeking some sort of balance between "no js" and "limited interactivity"
# edgeduchess[d] I think that makes sense, yes
# zerojames[d] That is true.
# zerojames[d] I have felt a bit pressured to use no JS when possible for reasons I cannot articulate.
# zerojames[d] But to be honest JS might be incredibly helpful for some things.
Seirdy joined the channel
# zerojames[d] Trying to avoid JS where possible did enlighten me to what you can do without JS though.
# zerojames[d] You can make a lot without it.
# edgeduchess[d] I think the Remix framework has interesting takes on this all
# edgeduchess[d] I've seen people claim that by using it they're learning html can do stuff they'd automatically reach out to JS for
# edgeduchess[d] and that's kind of where the crux lies, I think
# edgeduchess[d] you can probably get rid of a bunch of JS by learning HTML better
# edgeduchess[d] but rather than focusing on teaching that positively, often it ends up with just shaming people out of JS
# zerojames[d] I agree.
tetov-irc and IntriguedWow[d] joined the channel