#dev 2022-11-04

2022-11-04 UTC
bterry3 joined the channel
#
barnaby
continuing the dicussion from #microformats: I do have some reservations about showing h-app authorship information on IA consent screens as there’s currently no way to verify it, so it makes creating phishing attacks much easier.
#
barnaby
the only pieces of user-facing data about the client which the IA server can be sure is real are the client_id (i.e. URL) and redirect_uri
#
barnaby
so I feel like the more additional parsed information we show (app name, app logo, app authorship information), the more important it is to communicate to users that the client_id is the only piece of information they should use to decide whether to trust an app or not
#
barnaby
I think that showing a warning if a client app’s self-reported h-app url property is different to its client_id would be a reasonable first step
#
barnaby
heh currently taproot/indieauth only displays parsed h-app data if the h-app url property is an exact match of the client_id
#
barnaby
so I’m ahead of myself here apparently
geoffo and strugee joined the channel
#
aaronpk
there's actually another layer to it too
#
[jgarber]
barnaby: Those are great points.
#
aaronpk
really redirect_uri is the one that matters, since that's where the authorization code will be sent
#
aaronpk
so if the redirect_uri doesn't match the client_id, that's a potential red flag (but not necessarily a dealbreaker)
#
[jgarber]
…and the rules there are either same domain or published redirect_uris on the client_id’s site
#
[jgarber]
If I’m recalling the IndieAuth spec correctly.
#
aaronpk
same domain is pretty straightforward, published on the client_id site doesn't prevent phishing but does prevent other issues
#
aaronpk
oauth phishing is a really hard problem to solve in general though
#
aaronpk
google has tried really hard by creating a whole verification process for apps depending on which scopes they want access to
#
aaronpk
if you want to send email for a user's account, you need to go through a formal security audit which might cost like $20,000
#
barnaby
sure, and I think that if we’re going to make showing additional app data parsed from client_id h-app a thing, we need to make it *very* clear that the client_id and redirect_uri are the only important pieces of information
#
barnaby
oh wow, they clearly take it seriously
#
aaronpk
it was a response to a high profile oauth phishing campaign
#
aaronpk
aka the "google docs worm"
#
barnaby
showing app authorship information is a nice personal touch and mirrors what silos (e.g. twitter IIRC) do, but adding the possibility for phishing apps to trivially pretend that they were made by some respected person is a big risk IMO
#
barnaby
I feel like the emotional response to seeing a friendly face and name might override suspicion people have about a weird-looking client_id and redirect_uri
#
aaronpk
there are other things you can do in the consent screen to help, which some sites are doing, in particular google
#
barnaby
of course it’d be trivial to make some sort of rel-me-esque validation, where app authors publish their client_ids on their homepage one way or another
#
aaronpk
they started using checkboxes (finally!) so that you have to actually click on each scope you're granting an app
#
barnaby
any ideas for how that could be marked up? I can’t think of an existing rel which would work
#
barnaby
just having a minimal h-app on the homepage with url and author.url properties matching those reported on the client_id h-app would be enough for verification
#
aaronpk
i guess the question comes down to who does the user ultimately trust
#
barnaby
ultimately it’s gotta be based on the redirect_uri (and to a lesser extent the client_id), but here I’m specifically thinking about under what circumstances to responsibly show app authorship information on a consent screen
#
[jgarber]
`rel=“author”` is official, though not semantically different from using `p-author` on the client_id’s site.
#
aaronpk
if I want to grant Adobe Lightroom the ability to access all the photos on my site so I can edit them in the app, I'm really trusting the entity Adobe, identified by their website adobe.com. so ideally I need to see a chain of trust from adobe.com to the redirect_uri
#
sebbu3
beware, you might have lost some colors
#
barnaby
aaronpk: right, so adobe.com publishing a list of their client_ids would enable that
#
barnaby
and it even fits into existing markup potentially, where adobe.com might have a list of their products ready to mark up
#
barnaby
I can imagine having a little sidebar on my site listing indieauth-enabled apps I’ve made, both to show off and as verification links
#
[jgarber]
☝☝☝
#
aaronpk
so that moves the oauth phishing to setting up a domain pretending to be adobe
#
aaronpk
like adobe-apps . com or whatever, which is absolutely already a problem for a number of other reasons too
#
barnaby
so I can see something working where a consent screen looks on the client_id for a h-app.url matching the client_id, and shows that information if found. And if there’s authorship information on the h-app, additionally fetching the author URL and only showing author info if the author page has a h-app.url matching the client_id
#
barnaby
yeah that’s always going to be a problem though, and solving that in an automated way would likely involve some sort of community reputation system
#
aaronpk
none of this is a perfect solution because at the end of the day it comes down to the user recognizing whether they trust some piece of information shown to them
#
barnaby
sure, I’m mostly trying to solve the problem of “ad0be.com client_id publishes a h-app with a author.h-card.url of adobe.com, and a consent screen shows it, lending unnecessary authenticity to the phishing attempt”
#
GWG
But can you mitigate risk?
#
barnaby
i.e. how can the consent screen be the least wrong
#
barnaby
this is all assuming that we want to show app authorship information in the first place. simply not showing it is the easiest solution
#
barnaby
(aside, this is another reason why I eventually want to bundle an optional basic token management UI with taproot/indieauth, so that any app using it has no excuse for not giving users the ability to easily revoke tokens)
#
barnaby
and build this functionality in everywhere, i.e. on every post which was posted via a client, have an in-context UI to see the responsible client_id and revoke the token
#
GWG
barnaby: I have something like that
#
barnaby
nice GWG! got a screenshot of it somewhere? I’d be interested to see how it looks
#
barnaby
wonder what the relevant wiki page would be to document that
#
barnaby
what is access token?
#
Loqi
An access_token is a bearer token that is given to a micropub client from a token-endpoint https://indieweb.org/access_token
#
barnaby
probably there
#
GWG
barnaby: I use the list table view WordPress has, so you've probably seen it
tbbrown joined the channel
#
[tantek]1
[snarfed] is it bad that my code tried to use Bridgy Fed to errantly federate a reply to a tweet? The results page showed an OStatus error. Here is the specific log link: https://fed.brid.gy/log?key=https%3A%2F%2Ftantek.com%2F2022%2F306%2Ft1%2Fmicro-blo[…]com%2Fmnot%2Fstatus%2F1586279839752892417&start_time=1667448340
#
@Honesty_Init
↩️ Open standards. The current FediVerse is clearly lacking in usability. Some of the https://indieweb.org/ protocols (MicroPub, MicroSub, WebMentions, IndieAuth) might do. And email-style interoperability would curb most of the deficits of vendor concentration.
(twitter.com/_/status/1588374867358801920)
#
[snarfed]
[tantek] yeah that happens. the Bridgy Fed UX is definitely rough!
#
[tantek]1
I'm curious if there's something I should be doing differently on my end
#
[snarfed]
no, you're fine
#
gRegor
Thanks for the reminder, barnaby. Added my consent screen and access token screenshots.
#
gRegor
Interesting h-app authorship discussion, though even without h-app authorship, it's a potential issue currently when IA servers show the name/icon from the client site.
GWG-, rrix_ and mro joined the channel
#
Saphire
I need to flesh out mine
petermolnar joined the channel
#
@markjgardner
↩️ Getting back to your comparison to RSS: that’s true, which is why there was an evolution of trackbacks to pingbacks to webmentions. I’m trying to figure out what ActivityPub buys over webmentions with microformats.
(twitter.com/_/status/1588529218904018946)
aaronpk and geoffo joined the channel
#
@bcrypt
just made a "decentralized" "alternative" to twitter; everyone should go "join" it to make an account: fork https://github.com/diracdeltas/tweets to tweet: git commit --allow-empty to follow someone: git remote add <alias> <their fork url> to retweet: git cherry-pick <their "tweet">
(twitter.com/_/status/1588416861552582657)
mro joined the channel
#
[tantek]1
aaronpk, would the reply to that "what ActivityPub buys over webmentions with microformats" be 1) test suite & validator (https://webmention.rocks/), 2) more implementations (https://indieweb.org/Webmention#Publishing_Software)
mro joined the channel
#
aaronpk
good point
#
[tantek]1
3) an active user & development community (chat.indieweb.org)
#
[snarfed]
that's what webmentions buy over ActivityPub
#
[tantek]1
[snarfed] that's the punchline
#
[tantek]1
like any good tweet, it should be funny & snarky
#
[tantek]1
since that's the medium
#
[tantek]1
so to speak 😉
#
[snarfed]
Hah ok!
cambridgeport90, [campegg], jacky, gxt and mro joined the channel
#
@markjgardner
↩️ Blogs that implement the @w3c Webmention recommendation can be conversational: https://www.w3.org/TR/webmention/ There are even services that bridge comments, replies, reposts, reactions to Twitter, Mastodon, Instagram, etc. Some examples: https://mikebifulco.com/posts/semantic-html-heading-subtitle https://minutestomidnight.co.uk/blog/arva-vacua-debut-ep/
(twitter.com/_/status/1588607740938973184)
#
@megarush1024
↩️ Indieweb: http://indieweb.org will give you a thorough explanation, but basically plain old semantic HTML coupled with open standards like webmention and micropub and microformats 2 and owning your own domain and content.
(twitter.com/_/status/1588610287032324096)
#
@megarush1024
↩️ Starts with plain old semantic HTML and goes from there, you don't have to support everything to be part of it but other things like webmention and MF2 enable communication between domains.
(twitter.com/_/status/1588610598971101184)
#
barnaby
aaronpk: I just ran into a weird dependency thing where in order to install php-mf2 0.5, I had to downgrade XRay from 1.12 to 1.2. any idea what’s going on there?
#
aaronpk
1.2?? that's super old
#
barnaby
does the older version actually support php-mf2 0.5, or did it just previously have a more lenient requirement
#
aaronpk
that seems more likely, it's from 2017
#
barnaby
it looks like the latest version of XRay is only comparible with php-mf2 0.4, so I guess that’s the case, yeah
#
aaronpk
that probably isn't intentional
#
barnaby
which means that anyone who wasnts to use XRay doesn’t get img+alt parsing, which is the main breaking change ottomh
#
barnaby
shall I try to get get XRay running with php-mf2 0.5 and submit a PR if any changes need to be made?
#
aaronpk
oh right it will need changes to consume the new alt text structure
#
aaronpk
which i suppose is why it's locked to 0.4
#
barnaby
unless you were doing some very defensive progrmming, most likely, yes
#
barnaby
although there’s not much difference between handling an embedded mf2 structure and handling an img+alt structure when you want a plaintext value
#
barnaby
so if you had precautions for one then it might apply to the other
#
barnaby
I’ll take a look at it
#
barnaby
huh, running composer install on a fresh clone complains about an incompatible set of packages
#
barnaby
not a great start xD
[fluffy] joined the channel
#
barnaby
aaronpk: do you have any opinions about how to deal with img+alt parsing in XRay? the simplest solution would be to disregard the alt and just extract the URL, which would result in the jf2 output looking exactly the same as it does currently
#
barnaby
but if we want to include the alt values, which is obviously preferable for accessibility, it’s going to result in a breaking change to what data XRay outputs
#
aaronpk
that sounds like a good first step, as a minor update to XRay to be able to bump the mf2 parser
#
barnaby
and it might make sense to output consistent img+alt structures everywhere XRay knows it’s dealing with an image, with empty alt values if non was found
#
barnaby
okay, I’ll aim for getting a PR with the simpler approach done this evening
#
barnaby
and will raise an issue about the breaking approach for further discussion
#
[tantek]1
what is verified
#
Loqi
A verified profile or identity is one that has been confirmed by either an algorithm (like rel-me) or an authority (usually a silo) as belonging to a particular entity like a person or organization, or another independent website, and often indicated with a colored checkmark next to its name https://indieweb.org/verified
#
@simonw
The way Mastodon handles verification is smart: it uses rel="me" links and shows verified links on your profile page with a green background https://fedi.simonwillison.net/@simon https://pbs.twimg.com/media/Fgu14HwUUAALzQ6.png
(twitter.com/_/status/1588563298597101569)
#
@simonw
The way Mastodon handles verification is smart: it uses rel="me" links and shows verified links on your profile page with a green background https://fedi.simonwillison.net/@simon https://pbs.twimg.com/media/Fgu14HwUUAALzQ6.png
(twitter.com/_/status/1588563298597101569)
#
barnaby
hmm another approach would be to put the string URL in the property itself, and add a structure containing the alt in the refs list
#
barnaby
either directly in the refs list with a different format, or in a separate alts list
#
aaronpk
i *think* i like the first option better, just because it promotes the alt text concept better, even tho it's more of a breaking change
#
barnaby
yeah I was considering including some form of the latter in the current non-breaking update, so that the information is at least available
#
barnaby
but then if people srite code which consumes that and it changes again, it’ll just be even more annoying
#
barnaby
*write
#
aaronpk
yeah i would rather do a quick version of this with no API changes within XRay itself
#
aaronpk
then discuss what the better long term plan is on github
#
barnaby
I love the URL fetching fixture+mocking structure you made for this, really nice
#
aaronpk
Oh thanks. It's super helpful
#
aaronpk
tests++
#
Loqi
tests has 3 karma in this channel over the last year (4 in all channels)
#
barnaby
there are so many deprecation warnings running the tests that I’m torn between turning off deprecation error reporting in the bootstrap, and leaving it in so that it might be a motivator for fixing them
#
barnaby
okay, PR submitted
#
Loqi
[barnabywalters] #112 Make img alt information available
#
barnaby
^ which is also a JF2 issue — who works on JF2 these days?
#
[tantek]1
looks like [KevinMarks] according to https://jf2.spec.indieweb.org/
#
[KevinMarks]1
Well, not recently, but can have a look
#
barnaby
made an issue for it on the JF2 repo too https://github.com/indieweb/jf2/issues/46
#
Loqi
[barnabywalters] #46 How to make img alt information available in JF2
#
@kevinmarks
↩️ If you want to make an existing blog site mastodon compatible, there's https://fed.brid.gy/
(twitter.com/_/status/1588640252515995648)
#
@tomfinley
RT @zachleat@mastodon.social TIL Mastodon supports verification via IndieAuth! I added this snippet to my web site (http://zachleat.com) to point to my Mastodon account and now my web site is verified when you view my Mastodon profile—neat! <link (1/2)
(twitter.com/_/status/1588644120381251587)
bterry1 and gRegor joined the channel
#
[tantek]1
[snarfed] are you (or anyone else) using rel="me" with an acct: URL?
#
barnaby
wow I‘ve never heard of that. does anyone use it for anything?
#
[snarfed]
webfinger
#
barnaby
ahh okay
#
barnaby
so it’s currently only useful as an identifier, not as a resolvable URL
#
[tantek]1
yeah it's a bit weird
#
@MikeSington
🚨Ben Collins, NBC News: “Twitter employees want to stress that the company is a nightmare right now and you cannot work there. And the website is built on sticks and it might fall apart. It’s a house of cards.” “Elon is deeply out of his depth.” “This could be really bad.” https://twitter.com/MikeSington/status/1588614729119174658/video/1
(twitter.com/_/status/1588614729119174658)
#
@jsoo1
↩️ Activitypub and webmentions seem cool!
(twitter.com/_/status/1588664946451435521)
#
[tantek]1
barnaby, to "make a UI for personal sites which redirects people to a follow UI on their home server" -> use the "follow" /webaction
#
[tantek]1
I have one embedded in my home page
#
barnaby
well yes, but that relies on the user having some sort of browser extension which replaces that with a UI
#
barnaby
I was thinking more of looking into whether it’s possible to easily add native support for following @-@ IDs from a personal site
#
[tantek]1
barnaby, not necessarily, browser add-on is one way
#
[tantek]1
the other are the scripts that we wrote back in the day to polyfill webactions on both sides
#
barnaby
say, a form where the user enters their server URL. and it redirects to {server_url}/path/to/follow/ui?target=@tantek.com@tantek.com
#
barnaby
…if it’s that simple
#
barnaby
if it’s much more complex than that, I don’t think I’d want to put much effort into custom code to get my site supporting it
#
barnaby
lol yes I know about that, I’m talking about something slightly different
#
[tantek]1
barnaby, you had an earlier version of this setup ~9 years ago
#
barnaby
I know
#
[tantek]1
the URLs of that form that you're looking for are here: https://indieweb.org/Web_Action_URL_APIs
barnaby joined the channel; barnaby left the channel
#
[benatwork]
kind of wish we could just set up a URI scheme - social://follow?@ben@werd.social or something
#
[benatwork]
... as discussed on that page, now that I've read it
#
[KevinMarks]1
This is the continuing curse of webfinger and Blaine's grandma
#
[KevinMarks]1
The new mastodon follow is no longer "type your @-@ here" and is now "copy this url and paste it into search on your own site"