Are you suggesting the verification of domains would be manually curated by Bluesky BPC, or would this use some form of self verification? I.e. more decentralised? Would it be an ATprotocol solution, or a Bluesky solution?
It’s not verification really. The domain handle is what verifies.
This feature would be about making it more obvious when you see someone with a “.nytimes.com” handle that yes, you’re reading that correctly by adding a logo and name badge.
Sorry, I wasn’t clear. I mean would it be Bluesky the company that does this - I.e. adds the logo plus “New York Times” label for the https://nytimes.com domain, or would the user add it them selves? I’m wondering how it can be trusted? Could someone not use https://mytimes.com and add the nyt label & logo.
Ah, gotcha. Well my recommendation is that the list of domains is on GitHub and open source, and then its included in the Bluesky web/mobile app. But it probably does make sense for this list to be maintained by Bluesky Social, PBC but not at all a requirement. And there could be more than one list.
I was really trying to understand if this could work across the ATmosphere or only in Bluesky app/web. It would nice if it was a solution that worked everywhere the account is used. Perhaps Relays could play a role in “whitelisting” certain domains which have been vetted by the community.
If bsky is maintaining a list of important domains then wouldn't it be easier to simply have a list of important labelers that show up for everybody. Then just let companies like the NYT label their journalists accordingly. You could see something like this being used for embed content too
I know it's a slippery slope but it could also be a monetization strategy. First-party labelers could provide an income stream and keep feature requests for things like "guest columnist" and "⭐ staff writer" from bogging down core development.
How about from the other end though: if a domain isn't listed as "important", then the absence of a logo likely diminishes the perceived authenticity of those accounts.
Also seems probably fine to err on the side of including more domains rather than fewer?
Including the domains of crappy tabloids is fine, they can verify that they're really who they say they are, it doesn't indicate they're NOT crappy tabloids.
The protocol has nearly an infinite number of ways to verify including just having trusted labellers. If you want to get fancy you could straight up upload a blob with a certificate and force signed posts on the client.
The trick is average consumer adoption and this logo idea is pretty good.
Yes, labelers could do it but I'm not a fan. Either everyone has to run their own labeler (not realistic) or rely on some trusted centralized service (which is hackable and fallible).
We have a secure and decentralized verification mechanism already: domain handles
I'm happy with the domain handles but that doesn't work for consumers. This sends us back to the realm of EV certs which were claimed to be ineffective with consumers. Someone cruising around on their iphone in the bathroom isn't going to check for DNSSEC + VeriSign certificate and no unicode :(
Not to mention with the number of TLDs and providers now, and the creativity of replacing Cjtjbank with unicode alike characters in default iphone fonts... domains and registrars are just as fallible as a centralized labeller... 💀
Yeah EV SSL certs didn't work but my theory is that it's because there wasn't enough space in the URL bar for a UI that would do much to help. And because they weren't really verified in a meaningful way (so it wasn't worth it).
I think a badge on a profile will have some trust benefits for users.
If the request is done thru a proxy, sure. With Bluesky's algorithm magic, one could do targeted attacks to grab everyone's IP address (if the favico is fetched on client side, like your example). Eg: "try this Iranian news feed for dissidents" then just grep GET /favico.ico
It could also open the door to scammers trying to get a badge that shows authenticity, for example supp0r1[.]github[.]io or similar (verification for bluesky done using . well-known in GitHub pages) will be trying to get a GitHub favico.
Seems like a better principle to give everyone equivalent access and punish people for demonstrable impersonation of established sources than to gatekeep verification
i mean its against the tos but that doesnt mean it wont happen
nor does it mean moderation will find it quickly so less technical/internet minded people could easily fall for a scam if theyre unlucky enough
unless its properly verified etc
My suggestion is that it's hand curated list of "important" domains, like https://nytimes.com and any other domain that would meet some reasonable criteria.
Similar to how Wikipedia has a "reliable sources" criteria for citations.
Since we're already using DNS as a form of account authentication anyways, use additional txt records from the domain for organizational authentication that includes an org name and icon. Maybe include a simple approval required from Bsky staff before the org name and icon can be displayed
There is probably some other way it can be secured such as registering an organization with DKIM or something. It would basically still be self verification but would prevent impersonation at an organization level.
The fact that they label impersonators is defacto centralized verification, and they must label impersonators, therefore its an emergent result of what the platform must do.
DNS is centralized, but it is universally agreed that this is a good idea. All (literally ALL) countries connected to the internet accept and respected DNS.
Even countries like China and North Korea (with their filters verification may not work there, but Bluesky is blocked there anyway).
Well yes, but I'd argue that while DNS is not *perfectly* decentralized it is *highly* decentralized.
DNS is bootstrapped off authority emanating from root servers but it's transparently and fully delegated (decentralized) to Name Servers and Registries.
Any verification system is going to elevate the verified accounts, which is the big product change.
The reason I prefer this method is that it's not doing much more than confirming "Yes, that .nytimes.com handle is definitely the New York Times you're thinking of"
Could use the same approach as with moderation services. There’s the official Bluesky one (for the “main” domains) that’s enabled for everyone and then there are 3rd party decentralized ones.
Dreamwidth and Metafilter both offer sections in the user profile to add usernames of various services to serve as a 'FOAF/Also at' with logos and working profile links.
Comments
This feature would be about making it more obvious when you see someone with a “.nytimes.com” handle that yes, you’re reading that correctly by adding a logo and name badge.
Any client (Bluesky app) could share the list if it's open source or make their own since it's easy to do.
The mechanism is very simple:
1. Find the root domain of a handle.
2. Look up the name/logo for the root domain.
3. Display the name/logo on the profile.
DNS is the root of all trust on the internet, so we're just leveraging that.
We've seen that orgs are very capable of adding DNS entries already.
And the DNS method is more secure, decentralized, and easier to validate.
Doing it dynamically (without a manual verification (of "nytimes.com" actually being "The New York Times") defeats the purpose.
the only way this would work is with some centralised list unfortunately
As long as the criteria are fair and reasonable for what constitutes an "Important Domain" it would be an improvement.
Some people will complain but that's not a reason not to do it.
Including the domains of crappy tabloids is fine, they can verify that they're really who they say they are, it doesn't indicate they're NOT crappy tabloids.
However, I'm mindful that an unverified domain would now exist in the context of others being verified, so it wouldn't be the same as now.
And verification will inevitably be seen as endorsement, to some degree
The trick is average consumer adoption and this logo idea is pretty good.
We have a secure and decentralized verification mechanism already: domain handles
I think a badge on a profile will have some trust benefits for users.
There just aren't that many domains to worry about.
We can manually curate the list of "important" ones (news outlets, politicians, governments, big corporations maybe)
And everyone else still has domain handles!
nor does it mean moderation will find it quickly so less technical/internet minded people could easily fall for a scam if theyre unlucky enough
unless its properly verified etc
Similar to how Wikipedia has a "reliable sources" criteria for citations.
More in this thread:
https://bsky.app/profile/jacob.gold/post/3lc4n2q6vbk27
Jk jk 😅
aesthetically tho, i absolutely love this.
One option though would be to use organization validated SSL certs as a signal in some way.
There's lots of downsides to the whole SSL cert ecosystem but it's an option.
But it's definitely an option!
Organization validated SSLs might get an org name but not the icon.
And if it requires BlueSky staff involvement it's an unsustainable plan.
Even countries like China and North Korea (with their filters verification may not work there, but Bluesky is blocked there anyway).
DNS is bootstrapped off authority emanating from root servers but it's transparently and fully delegated (decentralized) to Name Servers and Registries.
and we trust our neighbors more than nameless authorities
The reason I prefer this method is that it's not doing much more than confirming "Yes, that .nytimes.com handle is definitely the New York Times you're thinking of"
And clients don't have to do it.
We already have a decentralized/secure system for verification, this just leverages it fully.
How else could we do it?
But for verification we already have a much better option.
We need trustworthy visual verification. People don’t look carefully at domain names (see every phishing scam ever).
Also must make sure it’s accessible for people using screen readers.
A labeler can come along and label a profile as "impersonation" if their domain is for example "nyt1mes.com" or something.