zlacker

[parent] [thread] 3 comments
1. bisby+(OP)[view] [source] 2023-05-04 20:20:07
"We'll build our own validation instead of using one of the existing standards that make perfect sense." is not just "a single bug". It's a flaw in architecture.

A PR of "Change external domain validation to use .well-known (or DNS01, etc)" is not a "bugfix"

replies(1): >>mtae+52
2. mtae+52[view] [source] 2023-05-04 20:31:09
>>bisby+(OP)
okay so clearly you don't know what you're talking about because they do use existing standards/DNS as the primary way to validate domain ownership. It's free to not say anything and read the comments first before going off about something!
replies(2): >>i_am_j+57 >>accoun+pn1
◧◩
3. i_am_j+57[view] [source] [discussion] 2023-05-04 20:57:00
>>mtae+52
>okay so clearly you don't know what you're talking about because they do use existing standards/DNS as the primary way to validate domain ownership.

I'm not going to speak for the commenter you're replying to, but I don't think anyone here is talking about the standards-compliant, DNS-based domain verification system. I think we're all talking about the non-standards-compliant, /xrpc/-path verification.

◧◩
4. accoun+pn1[view] [source] [discussion] 2023-05-05 08:51:42
>>mtae+52
With any kind of authentication when you have an insecure method it does not mather whether you also have a more secure method - your authentication is only as good as the weakest alternative.
[go to top]