#dev 2024-06-25

2024-06-25 UTC
lanodan, ludovicchabant, voxpelli, chenghiz_, Guest1350, ramsey, ttybitnik, barnaby, AramZS and ipv6rs joined the channel
#
capjamesg[d] sknebel++ for all the help on understanding wildcards.
#
Loqi sknebel has 11 karma in this channel over the last year (29 in all channels)
[jacky] joined the channel
#
[jacky] yeah DNS is something that's hard to wrangle
#
[jacky] been speaking with more folks in the South (like Cuba, Haiti and PR) and the idea of setting that up competes with getting data plans
#
[jacky] the approach folks take in Cuba (SIM cards for timed access to the Internet, though all regulated via the US's sanctions on access) that go outside convention has been either being "seeding" news sites or using things like locally hosted forums only available in some shops (that are available over local WiFi)
#
[jacky] outside of airdropping everyone $15/mo for a domain (or clustering it all onto one), not many options
#
[jacky] that said, there's someone trying to set up a rouge NS out there (really want to go visit to see in person; a lot of this is landlocked)
[schmarty] joined the channel
#
[snarfed] wait, $15/yr for a domain, not /mo, right?
jonnybarnes joined the channel
#
[snarfed] free subdomains can be a good way to get started, and for cost sensitive communities like those, there are plenty of cheap registrars and TLDs that will sell you a domain for $1-5 ish per year
#
[snarfed] even in eg the South, I expect $1-5/yr is pretty doable, and only a fraction of what they're already speding on SIM cards and other expenses
#
[snarfed] (I've gradually lost patience with the "domains are too expensive" complaint these days)
#
[snarfed] DNS is absolutely difficult, but more and more hosts like http://micro.blog are bundling domain registration and DNS so that users don't have to do it at all
#
[jacky] $15/yr yeah, my fault
#
[jacky] DNS is _part_ of it. Like _when_ services are blocked (for usually no explicitly clear reason, in Jacmel, where a lot of my family is from, the only things you can get easiest access to would be WhatsApp or the like because of access contracts), all of that disappears
#
[jacky] Cost is subjective (in case of its relative impact to folks) so I try not to exclude that
#
[snarfed] sure! but the cost differences matter
#
[snarfed] so, different questions here? 1) what's a feasible cost for a domain (I expect $1/yr works for the vast majority of people), 2) is DNS too hard for end users to set up (yes), 3) how do we handle governments or ISPs blocking services like DNS
#
[jacky] in a way, a good answer to 3 could make 1 equate $0/yr
#
[jacky] my personal want would be for municipal services to issue some blocks of subdomains for folks to lean on (that either local groups can then resell and/or just provide an interface over)
#
[snarfed] yes! iirc some federal/state/muni gov'ts have done that before, maybe still
#
[jacky] but that's a tremendous amount of political maneuvering
#
[snarfed] but again, if it's specifically a cost question, I kind of lose patience pretty fast. getting from $15/mo to $15/yr clearly counts, $15/yr to $1/yr counts too, but once we're there (which we are for many TLDs/registrars), I'm less motivated to try to get from $1/yr to $0/yr
#
[jacky] sure I can understand that
#
[jacky] like at that point, the cost is merely a ticket for attendance (versus access to the skybox)
#
[snarfed] right
#
[snarfed] $0 vs $1 may matter psychologically, or maybe ideologically for some people, but not practically
#
[jacky] yeah
#
[jacky] I want to write about this more at length - some of the difficulty is pushing past some barriers of geopolitics
#
[snarfed] I dunno, maybe. or we just treat it very practically and say, start with a http://wordpress.com or http://micro.blog or any other subdomain, start actually using a web site and interacting with the IndieWeb from it
#
[snarfed] and once you're doing that and like it and have invested, you'll happily spend $1/yr on a real domain
#
[Joe_Crawford] I think there's absolutely an opportunity for something like that. When I heard what Internet Archive was planning to do as a nonprofit I was skeptical, but they have set up a structure for how it works, how it's funded, and how it can continue that works. A creative institutional structure could do this.
#
ptramo[d] The persistence of domain names feels like a technical problem that could « easily » be solved if platforms cared enough to remove that dependency. Use a name for discovery from perishable analog media, references to public keys (including QR codes for long-lived paper), store coordinates in kademlia à la libp2p to resolve a public key to a host. I think that’s roughly how onion domains work already but I know next to nothing about the
#
ptramo[d] [edit] The persistence of domain names feels like a technical problem that could « easily » be solved if platforms cared enough to remove that dependency. Use a name for discovery from perishable analog media, references to public keys otherwise(including QR codes for long-lived paper), store coordinates in kademlia à la libp2p to resolve a public key to a host. I think that’s roughly how onion domains work already but I know next to n
#
ptramo[d] I genuinely believe if Apple, Google, Microsoft, Mozilla wanted to solve this, domains would become the exception rather than the norm in URIs in no time
#
ptramo[d] [edit] I genuinely believe if Apple, Google, Microsoft, Mozilla wanted to solve this collectively, domains would become the exception rather than the norm in URIs in no time
#
ptramo[d] [edit] I genuinely believe if Apple, Google, Microsoft, Mozilla wanted to solve this collectively, ICANN domains would become the exception rather than the norm in URIs in no time
#
artlung Edits from Discord appear like this in Slack ptramo[d]
#
artlung https://cdn.discordapp.com/attachments/866577430886350869/1255211216713027654/image.png?ex=667c4e0a&is=667afc8a&hm=9a9bf75d2a851945b3e49425723b938e841739a1a5801f34658ed33a91b7430c&
#
ptramo[d] artlung[d] suboptimal but still better than no edits
#
ptramo[d] I could write series of `s/domains/ICANN domains/` to make it a tad easier to understand the intent behind the edits, or I could contribute to the bot to offer `git diff --word-diff`-like outputs, or I could migrate to Slack if things are better the other way around?
#
[snarfed] I think we mostly tend to just continue and revise thoughts and the conversation more naturally, and treat messages as ephemeral and realtime, not writing that we need to edit until each message is perfect
#
ptramo[d] artlung[d] wait, slack truncates my messages? that seems like a more serious problem
#
[Joe_Crawford] I'm not suggesting any kind of technical solution is required. Just pointing out how they appear in Slack (and also in IRC).
#
[Joe_Crawford] And yes, _move forward, don't edit_ is how I participate in this chat. If I have something I want to be precise about and edit and revise, for me that means I probably have enough of an opinion about it to be blogging it.
#
ptramo[d] OK, I'll revise everything I just said with "see how .onion works, why don't we all .onion to begin with?"
#
[snarfed] concise!
#
[snarfed] to answer you in spirit, yes, philosophically that would be great
#
[snarfed] ...but in practice, users managing their own private keys has big downsides, notably 1) lack of recoverability and 2) PKI
#
[snarfed] 1, if mainstream users have no recourse when they forget their password, that's...not really ok
#
ptramo[d] (1) same problems are passkeys, being solved by the big platforms
#
[snarfed] and 2, I'd argue the only PKI systems we've seen succeed and achieve truly widespread adoption (notably SSL) are at least semi-centralized, for some good reasons. that has its flaws, true, but net it overall seems to work ok
#
[snarfed] (also 3, Tor and .onion are nowhere near mainstream UX usability yet, but that's fixable)
#
ptramo[d] (2) which infrastructure do you need? I'm not suggesting we stick to certificate chains or web of trust, if the domain is the public key, it's self-contained?
#
[snarfed] 1, right! users mostly aren't managing their passkeys entirely on their own, there's an account recovery flow that depends on centralized providers
#
ptramo[d] (3) yeah that's entirely on the web browser vendors though, isn't it?
#
[snarfed] 3, uh no, they're under no obligation there
#
ptramo[d] BTW, I was wrong, it's not kademlia in the context of tor. need to dig more into it, but seems to be based on https://spec.torproject.org/rend-spec/rendezvous-protocol.html ?
#
[snarfed] I love DHTs! I worked on some, I hung out on p2p-hackers@ in the 90s and 00s. but after decades, they're still niche. I'm not arguing that they work, just that they haven't managed to scale or gain widespread adoption for anything yet, and it's been a while
#
ptramo[d] the bittorrent DHT is responsible for what, 3% of Internet traffic?
#
[snarfed] sure, but not a very interesting metric. many orders of magnitude fewer _people_ use it
#
[snarfed] (also it's not PKI)
#
ptramo[d] what's the I for in PKI, and if it's infrastucture, what infrastructure do you need if the URI contains the public key already?
#
[snarfed] you mean, you fetch the URI, and it serves you the public key in the response? or it's _in_ the URI, like data:... ?
#
[snarfed] the infrastructure part is how those public keys get published, queried, and delivered. if that's via fetching URIs, you're already depending on DNS and SSL CAs
#
ptramo[d] no, the "domain" part of the URI is a public key
#
ptramo[d] you don't have to use DNS to look up domains. heck we started without it, and .onion works without it
#
[snarfed] ah, so putting public keys directly into .onion adddresses
#
ptramo[d] that's what .onion addresses are today, a public key prefix
#
[snarfed] ok! this is a different use of them, but sure
#
[snarfed] I'd happily read a more complete description of the idea! hard to fully grok from casual chat messages
#
[snarfed] all three issues still apply, but the idea could still have legs with enough work!
#
ptramo[d] > OK, I'll revise everything I just said with "see how .onion works, why don't we all .onion to begin with?"
#
ptramo[d] - generate a keypair, keep the secret key in your cloud-or-seriously-backups-backed keyring
#
ptramo[d] I seem to have gotten some the details of .onion wrong… so. you want to publish something:
#
ptramo[d] - your server has a certificate signed with your secret key and the corresponding private key, uses it to announce `(certificate, my public key, my SRV-style records signed with my private key)` in a kademlia where peers verify that such announcements are signed correctly
#
ptramo[d] - browser vendors host bootstrap nodes for this kademlia baked into their browsers
#
ptramo[d] - publish under `${publicKey}.nodns`
#
ptramo[d] - browsers support this `.nodns` scheme by looking up in the kademlia from the bootstrap node, find signed SRV records for the domain, connect there over TLS pinned where the "root" CA for a domain is literally the public key it spells out
#
superkuh Just pick a strong hash function for the public key used as address. It should expect to work for decades. torv2 made a mistake a picked a weak hash function that today prefixes can be brute forced for $50 of compute. So they abandoned the entire torv2 web and all the old domains no longer work, all the website hyperlinks are broken, it's just gone, poof.
#
superkuh Er, $50k.
#
superkuh Not $50.
#
[snarfed] ptramo got it! again I think all three issues still apply, but also again I'd love to read a complete blog post with details!
#
ptramo[d] don't hash at all. put a version number in front, 0 for now, and spell out the public key. tweetnacl public keys are 32 bytes, that's 52 characters in base32
#
ptramo[d] well 53 with the version number
#
[snarfed] ptramo do you have a personal .onion web site? or any other site there?
#
superkuh I still host superkuhbitj6tul.onion on the remaining torv2 network but no modern torv3 client in any modern distro's repos can access it.
#
[snarfed] 😢
#
ptramo[d] i don't onion, no. I want recruiters to find my stuff, chicken and egg 🙂
#
[snarfed] lol
#
[snarfed] sounds like issue 3 is alive and well for .onion
#
ptramo[d] I did start with "I genuinely believe if Apple, Google, Microsoft, Mozilla wanted to solve this"
#
[snarfed] heh
#
ptramo[d] heck, we could buy a TLD for $100k/yr and operate infrastructure that does the work for browsers that don't, or operate it as a subdomain of whatever
#
ptramo[d] heck I could hack https://api.ident.me DNS server to support a scheme like https://ttjqjfky6dorsynsgabarnzn4h4cuvinzwcxzm7dinhybu2tf67ja.ident.me (first t is for tweetnacl, rest of the name is a public key) with registrations/updating by POSTing a DNS zone to https://0pw.me. synergize my hacks 😄
#
[tantek] I'm going to go out on a limb and say that $0/domain per year is actually *undesirable* UNLESS it is tied to say, a government provided service (like how healthcare should work) that has CONSEQUENCES for abuse (spam, breaking laws etc.), because anything that costs $0 will and does get abused as we have learned with email
#
[tantek] I will also say that IMO that marginal benefit of reducing a domain cost from $5-15/yr down to $0/year is absolutely not worth the opportunity cost. Like if you believe that, go get data SIM prices down to $0 first which enable far more important use-cases for folks than a domain name by itself.
#
[tantek] And until then, I think a reasonable goal is to get $/year of domain name cost to be less than the $/year of a data SIM. For most places in the world, $15/year is already there. If not, I want to hear of specific examples (countries, cities) where domain cost per year is MORE than data SIM cost per year
#
[tantek] otherwise I've come to the same opinion as [snarfed] "if it's specifically a cost question, I kind of lose patience pretty fast."
#
[tantek] and then for me personally, I believe it is more important to spend time advocating for reducing the per year cost of healthcare to less than $15/year than the cost of a domain to less than $15/year. that's the opportunity cost I see for my time on this issue which specifically makes me also "lose patience pretty fast"
#
[tantek] like "cost of healthcare to less than $15/year" *for everyone* (per single-payer) not just "who can't afford it".
#
[tantek] and would advocate similarly for domain costs
#
[tantek] what are passkeys
#
Loqi It looks like we don't have a page for "passkeys" yet. Would you like to create it? (Or just say "passkeys is ____", a sentence describing the term)
#
[tantek] wat
#
[tantek] I thought we had captured the centralization problems with passkeys somewhere — there was a big long rant by someone who worked on them for years, and realized that all they did was enable FURTHER centralization of both authn and authz
chadsix joined the channel
#
jimwins looks like only mention of passkeys in the wiki is on the Web Authentication page.
#
jimwins and even that's just to Apple Passkey
#
[schmarty] oh hello i missed some Tor talk. I have a .onion mirror of my site. if you visit https://martymcgui.re/ in the Tor browser you should see an ".onion available" button pop up which will take you to http://martymcgfuraocsgy2a25btl5srhifcdud6m4eiphz2mq6fafttwh7qd.onion/
#
[schmarty] and yeah .onion addresses are based on a public key.
#
[schmarty] Tor is neat. stuff built on Tor is neat. i have seen some pretty rad projects that use it, but none seem to ever get to a level where i could get the people i care about to adopt them.
#
[schmarty] like i still cross my fingers for https://cwtch.im/ to get solid funding again. or for https://www.ricochetrefresh.net/ to shop
#
[schmarty] *ship
gRegor joined the channel
#
[tantek] onion addresses are unfriendly to users which is a showstopper to me
#
[tantek] they look like "series of garbage characters" which IMO nearly always signals either: untrustworthy content, or uncaring developers that don't care about (or understand) good UX, both of which are major turnoffs
#
[tantek] to be blunt, if you can't put it on a billboard or the back of a t-shirt where someone can read it, remember it, type it back in, then you've lost people (in terms of URLs)
#
thepaperpilot Sounds like something that could be solved via pet names: https://spritely.institute/static/papers/petnames.html
#
[tantek] thepaperpilot — except that's exactly what DNS does, give you a way to make shorter memorable names
#
thepaperpilot Sort of. Petnames are designed to be decentralized
#
[tantek] and frankly "petnames" have been suggested like that for over a decade with zero actual progress towards practical solutions, so it's a meh for me until someone shows up with a usable/working prototype
#
[tantek] DNS is decentralized
#
thepaperpilot Sure, short of. But in practice are you going to change your DNS to any but the established players?
#
[tantek] petnames are also solving a different problem — what user personally calls things on their device etc.
#
thepaperpilot Same issue with the fediverse, where it's decentralized in theory but centralized in practice. Petnames are the agentic/client based alternative to names
#
[tantek] the problem that URLs solve is sharing across/between users, especially between *strangers*, e.g. the "billboard or the back of a t-shirt" example I gave above
#
[tantek] petnames do zero for that
#
[tantek] so no, it's something that petnames can solve IMO
#
[tantek] it's *not* something that petnames can solve
#
thepaperpilot Well if you're trying to become an influencer or whatever and need to be able to put a name on a billboard, you could use (or become) an authority that vouches for who that person is
#
[tantek] "an authority that vouches for who that person is" —> reinvention of DNS registrars
#
thepaperpilot E g. If apple says we have a social media account and it's called timcook@apple.com, then you can be confident they are actually tim cook from apple
#
[tantek] and how many email addresses do you see on billboards? close to zero if not zero?
#
[tantek] this is why I asked for a "usable/working prototype" — because I fully believe that in the process of building that, based on whatever systems instead of DNS, you will end up reinventing all the pieces of DNS, just likely worse (untested / unscaled / unredteamed)
#
thepaperpilot And for smaller creators, some "influencers catalog" would allow people to freely register. Sure that entity would have less trust than apple.com, but for an influencer you don't need to verify anything other than that their identity is unchanging. The second you have to trust that identity to have done something specific, the authority on that something should be able to vouch. E.g. a university having a name server that v
#
[tantek] right, and we already have had such "influencers catalogs" over the years that allowed people to freely register, e.g. http://Blogger.com, http://Tumblr.com (subdomains) or even Twitter @-names.
#
[tantek] again, no matter what you call it ("catalog" or "subdomain") you are just reinventing pieces of DNS
#
thepaperpilot Fwiw I think with how Twitter is going, you are going to start seeing domains after usernames anyways. A lot of governments and large corporations even already run mastodon accounts that are effectively an authoritative name server (but with the drawback of enforcing how each person on their can use the platform, and not handling the issue of having my multiple authoritative sources being able to vouch for the same identity
#
[tantek] we'll see, LMK when you see a billboard or a t-shirt with an @-@
#
[tantek] I mean that seriously, not flippantly. Would love to see/collect real world examples of that (like actual photographs of things in the real world)
#
thepaperpilot I'll let you know. I really think it's only a matter of time
#
aaronpk The @-@ addresses are so ugly there is no way 😂
#
jimwins This sort of goes back to the discussion we were having the other day about identifying non-web resources as a rel="me". If you see @jimw@mefi.social in the wild, will you know it's a Mastodon/Fediverse account? What about @jimw.tmky.us, is that obviously a Bluesky id?
#
thepaperpilot It shouldn't matter
#
[tantek] lol aaronpk
#
jimwins Sure, but saying it shouldn't matter doesn't mean it doesn't matter.
#
[tantek] I actually think there's a greater chance of "@-domain"
#
thepaperpilot E.g. all of you wouldn't even need an @-@ within the context of this server. I have no need to verify anything about any of our identities to have a casual conversation, so I'd just use your "unverified" self-defined nickname, and my client would auto add that as the nickname and inform me if I see another person with the same name that they are actually different people
#
[schmarty] looks like i missed some zooko's triangle discussion and i just have to add: :zany_face:
#
ptramo[d] Looking for a reasonable html streaming (à la SAX or not) parser for C, zig, or lua. Currently only to extract link rel=…
#
[schmarty] i'm wary of using whether or not something has widespread adoption as a primary metric of whether it is worth considering.
#
[schmarty] passkeys seems to be a good example of something that (appears to be) gaining widespread adoption, but no two passkey implementations are the same and there are deep philosophical divides among standards folks and implementors as to whether you should be allowed to even make backups. doesn't sound like a done deal to me!
#
superkuh There's always namecoin. There's a decent chance Tor v3 gains arbitrarily named onion services through Namecoin integration soon'ish. There's a proposed implementation on the Tor issue tracker and I've heard it's already partially implemented with certain nightly builds.
#
[schmarty] namecoin-- having used namecoin it is a messssss
#
Loqi namecoin has -1 karma over the last year
#
[schmarty] if you think it's easy to lose DNS control because of a forgotten renewal, give namecoin a try! expiration happens by counting blocks, which usually* happen every 10 minutes, so i guess "just" :abacus: calculate that out and set a 📆 calendar reminder to open your namecoin wallet and give it a few hours to sync up the blockchain so you can renew :zany_face:
#
jimwins Sounds like fun!
#
superkuh Not wrong. I managed to lock myself out of a .bit forever by sending a malformed transaction.
#
[Joe_Crawford] domains are good, but a little bird icon, or little instagram square, or little X, or a lowercase "f" in a square, or just the text "Venmo" are find replacements to namespace some identifier. And I do see email addresses on cars for services: fairly often. Plumbers, housekeeping services, other contractors.
#
[Joe_Crawford] more hotmail and yahoo usage than I ever would have guessed, but we have the world we have.
#
[schmarty] i used namecoin+zeronet to have a .bit site. it was kind of neat but the zeronet community was, uh, not great. and my .bit got squatted the moment it lapsed. zeronet has, i think, collapsed since with the creator going silent. maybe back in 2019?
#
[schmarty] my .onion mirror has been pretty good, but as was mentioned earlier, Tor has abandoned the "v2 onion services" domains, so they just don't work anymore. i updated to v3 and it's the ridiculously long .onion URL I shared above.
#
[schmarty] i agree that .onion URLs are ugly. but! if there's anything that dining in the US in the early years of COVID taught us, it's that people will scan any old QR codes 😂
#
[schmarty] IPFS seems to still be a thing for folks hoping to host decentralized web content. but while the network is content-addressable, they seem to have settled pretty hard on using DNS for having named pointers to stuff!
janboddez, btrem and [dshanske] joined the channel
#
jimwins Looks like the company that acquired polyfill.io last year has pivoted to using it to serve up malware. https://sansec.io/research/polyfill-supply-chain-attack
Guest8163, Yummers and sp1ff joined the channel
#
[tantek] Original warning from 2024-02-25 https://fosstodon.org/@haubles/111995201660738714
geoffo joined the channel; Yummers left the channel