#dev 2025-07-29

2025-07-29 UTC
grufwub, vidak, srxl and bread joined the channel
# 05:13 
mandaris That was funny, Mattl!
Daijo, vidak, gRegor, jjuran, ttybitnik, rozodru, lanodan, grufwub and geoffo joined the channel
# 14:59 
[snarfed] hey [manton], when a http://micro.blog user blocks a fediverse user (https://help.micro.blog/t/muting-blocking-and-reporting-users/32 ), do you send a Block activity?
salut joined the channel
# 16:34 
[social] I updated the Blockquote Plus lab page with a blockquote layout that is fine. I also added to the page to look at what may still need work and the friction of use (and how to possibly ease some of that friction). Webmentions is a viable options, but this chunk isn’t dynamic, so need to think through that.
# 16:34 
[social] https://lab.vanderwal.net/blockquote-plus.html
# 16:35 
Loqi [preview] Go to Source
gRegor joined the channel
# 16:43 
gRegor osteophage, re: Google Docs, Cryptpad isn't quite as user friendly, but I wrote up a post with some suggestions if using that instead of Docs for privacy/security: https://gregorlove.com/2025/03/suggestions-for-using-cryptpad/
# 16:44 
gRegor Saw some renewed attention recently to "move off Drive" because some people lost access to fanfic docs they had there, allegedly due to content violating ToS.
# 16:49 
rozodru I use cryptpad myself, works well. bit slow but does the job.
# 16:51 
doesnm joplin is better imo
box4649, ttybitnik and [manton] joined the channel
# 17:17 
[manton] [snarfed] Hmm, no, I don’t think so. I don’t think I knew that was a thing.
# 17:19 
[manton] Checking the Mastodon docs, sounds like Block is supposed to be just for ActivityPub C2S?
# 17:19 
[manton] > ActivityPub defines the `Block` activity for client-to-server (C2S) use-cases, but not for server-to-server (S2S) – it recommends that servers SHOULD NOT deliver Block activities to their `object`. However, Mastodon will send this activity when a local user blocks a remote user. When Mastodon receives a `Block` activity where the `object` is an actor on the local domain, it will interpret this as a signal to hide the actor’s profile an
# 17:19 
[manton] posts from the local user, as well as disallowing mentions of that actor by that local user.
rozodru joined the channel
# 18:04 
[snarfed] huh. it's definitely commonly in use in S2S in the wild, on many more platforms than just Mastodon
# 18:05 
[snarfed] I got a request from a http://micro.blog user who'd bridged their http://micro.blog via AP, and wanted to disable it. we currently support that via DM or block, but only if we receive a Block activity
thegreekgeek, paotsaq, duanin2 and Chailotl joined the channel
# 18:54 
[manton] Ah, good to know. If it’s common, I’ll add it. Is there an un-block, or is that sending an Undo activity for the previous block?
# 18:57 
[snarfed] yeah that's Undo of the Block
# 18:57 
[snarfed] (but to re-bridge yourself specifically, you'd need to re-follow @bsky.brid.gy)
# 19:01 
[snarfed] Chailotl, from #indieweb re IndieAuth hijacking... hmm. the site or its delegated IndieAuth provider would still need to explicitly support RelMeAuth logins via the malicious site, right? which seems unlikely
# 19:02 
[snarfed] eg https://indielogin.com/ supports Twitter, GitHub, and email, not any arbitrary rel-me-linked service
# 19:03 
Chailotl What I mean is that a user would have their own website, say on Neocities, which has a rel="me" pointing to their GitHub profile, and their GitHub profile has a rel="me" link pointing back to their website
# 19:04 
Chailotl So to normally log in, they would use their Neocities subdomain, IndieAuth checks any valid authentication providers, etc.
# 19:05 
Chailotl The attack vector is to socially engineer the user to add a malicious rel="me" link to their Neocities page pointing to the attacker's GitHub profile, which lets them use it as a means to log in by authenticating with their own GitHub account
# 19:06 
[snarfed] right. that could maybe work for GitHub, Twitter, and email specifically
# 19:07 
Chailotl While someone who writes their own webpage in HTML (as is the case with Neocities) and has a GitHub account (likely a developer) isn't very likely to be tricked, someone using a webhost like Carrd which has an easy-to-use visual editor, and when IndieAuth supports a mainstream provider like Bluesky (since Twitter login doesn't work since the API
# 19:07 
Chailotl changes) could be lured for promises of an in-game prize if they "just add this link to your Carrd!"
# 19:08 
[snarfed] maybe! not sure how many people would learn about and set up IndieAuth and then also fall for that attack, but you're right that it is possible
# 19:08 
Chailotl Carrd is the most common free webhost I've seen used on Discord and Twitter/Bluesky, usually for aggregating their social media links, but also as a personal website, or to host their commission sheet info
# 19:08 
[snarfed] not sure how to defend against it. IndieLogin could detect and block sites with multiple rel-me links to a given provider like GitHub, which could help, but only some
# 19:09 
Chailotl You are right that the venn diagram of users who use IndieAuth and who would be tricked by that don't overlap, but if or when "logging in with your website!" becomes mainstream, it will become a desirable scam vector
# 19:11 
Chailotl The first thing that comes to my mind is to educate users to not put suspicious rel="me" links on their webpage; ideally webhosts like Carrd could be explicit to only use it for social media profiles you control
# 19:11 
[mattl] Is an expired personal domain name more of a threat than a malicious rel=me?
# 19:11 
Chailotl I would think so, as recovering that becomes monumentally harder
# 19:12 
Chailotl It's not uncommon for malicious actors to snipe expired domains and demand a ransom >_>
# 19:16 
Chailotl If it is not already documented somewhere, I think it would be a good idea to have a best practices for how to offer IndieAuth login (teaching users about protecting themselves against scams, detecting suspicious logins when an alternate account is used for login, recovery methods when domain is lost)
# 19:18 
Chailotl I'm sure this isn't a very pressing matter right now, we're all smart enough to not fall for this, but it would be a good idea to prevent this before it goes mainstream
# 19:18 
[snarfed] Chailotl++ definitely! sounds like you have a lot of the context to start that page or section on https://indieweb.org/IndieAuth , even just summarizing this conversation
# 19:18 
Loqi Chailotl has 1 karma over the last year
# 19:19 
[snarfed] go for it!
Chailotl61 joined the channel
# 19:21 
[mattl] what is death
# 19:21 
Loqi Site deaths are when sites go offline, taking content and permalinks with them, and breaking the web accordingly https://indieweb.org/death
# 19:22 
[mattl] Hm, I was thinking more about people dying… their domain names and web hosting could all go away pretty quickly.
# 19:23 
[aciccarello] What is longevity?
# 19:23 
Loqi Longevity is the goal of keeping your online presence, data, and code as future-friendly and future-proof as possible; it is one of the indieweb principles https://indieweb.org/longevity
rob32, Chailotl, grufwub, Ramenos, rozodru, duanin2 and jeremycherfas joined the channel
# 21:43 
[tantek] more here in particular: https://indieweb.org/longevity#Dead_Man.27s_Switch
sp1ff``` joined the channel