Tee hee, just added blocklist importing to the #SocialInbox using Mastodon's blocklist format :P
@mauve I'm pretty sure that host may be spoofable..
@thisismissem could you elaborate more on the exploit you have in mind?
the flow for verifying looks like this:
- somebody creates an http request to our server and signs it with an actor URL pointing to their key
- our server fetches the actor URL and takes the public key out from the object
- the server then verifies the signature but the public key and verifies the digest of the request as well as the date to prevent replay attacks
- server resolves actor object to a web mention username
@mauve hmm, maybe that's fine then!
@thisismissem I think there is risk in folks adding fake actors if they can add arbitrary files to a site, but I'm hoping that querying the webfinger endpoint to verify would help there.
Spoofing https certs and DNS might be a risk though? 🤷
@mauve yeah, just make sure that after resolving all the documents that the URIs and hosts all match up
@mauve that is to say I'm doubtful that DNS and HTTPS would be particularly weak points, especially given signing and pinning of public keys (there is a process for announcements of key rotation too)
Fun fact, looks like our admin registration is going to use the same http auth mechanisms.
Here's how it looks:
- Keep list of admins in webmention format in the DB
- Admins talk to the API using signed HTTP requests
- API verifies requests by verifying the signatures
Cool side effects? No need for storing a password or issuing tokens or actual admin account data. We can also use wildcards in the list like `@*@hypha.coop` to allow any account from a given domain to have access.