zlacker

[return to "So this guy is now S3. All of S3"]
1. arianv+53[view] [source] 2023-05-04 19:07:02
>>aendru+(OP)
This is why mastodon , webfinger and ACME uss .well-known uri prefix. .well-known is reserved and you can't e.g. make a bucket named .well-known

It's funny the bluesky devs say they implemented "something like webfinger" but left out the only important part of webfinger that protects against these attacks in the first place. Weird oversight and something something don't come up with your own standards

◧◩
2. benatk+Ej[view] [source] 2023-05-04 20:25:41
>>arianv+53
.well-known seems unintuitive

Also the penalty isn't very high here. Someone impersonated a domain on a burgeoning protocol for a short while. So what?

◧◩◪
3. ceejay+Oo[view] [source] 2023-05-04 20:53:30
>>benatk+Ej
> .well-known seems unintuitive

We're talking about folks setting up a custom domain for a personal social media presence. If they can handle nameservers and DNS records, they can handle a folder with a dot in the name.

◧◩◪◨
4. catchn+2s[view] [source] 2023-05-04 21:08:47
>>ceejay+Oo
but it disappears when you add the dot.
[go to top]