Based on how verification was revoked for some users on Twitter based on their content rather than question of their identity, I’m cautious about this system turning into the status symbol it became on Twitter rather than the verification it claimed to be.
Personally I use KeePassXC + Syncthing, but Bitwarden/Vaultwarden is also a great.
What’s somewhat amusing, for lack of a better word, is that even that advice doesn’t fully resolve the issue, as Troy himself recently was the victim of a phising attack, where one part of the issue was that even legitimate sites changes their sign-in domains frequently enough that you kind of become numb to when the auto-fill stops working and just “correct” the issue without the necessary due diligence.
I saw some small talk about it, and it really just boiled down to domain verification is great for more tech savvy folks, but trying to get larger accounts (think politicians, celebrities, etc) is a lot harder. Having a visual check, using tools within the app or site, is a lot easier.
And personally I like the idea of verification checks as long as it remains a simple means to do just that: verify the owner of the account. Morons like Musk and his ilk always thought it was a clout thing, and for a small minority that was probably the case, but by and large before he ruined it, it was great.
I feel like domain usernames are still inherently susceptible to phishing, you can get a typo or similar character to try and trick someone that your username is an official one
If they are, and there isn’t anything to display it, how are we to know what’s been vetted and what’s slipped through the cracks? Especially on a new account?
For example someone at say, NPR, could use a name like @bob.npr.org which is only possible by verifying ownership of the npr.org domain name, so there is no need to vet anything.
That’s great for an organization like NPR which may have the resources to tie its own domain name into Bluesky. For some freelance reporter or otherwise verifiable person, I’m not sure it’s quite so practical.
And tying it to the Bluesky system? Not sure the cost of that (I swear I saw it was a potential monetization they were looking into) but also the time to figure it out isn’t practical for everyone.
Domains only help you verify organizations and individuals you recognize directly.
This verification system also allows 3rd parties (it’s NOT just bluesky themselves!) to issue attestations that s given account belongs to who they say they are, which would help people like independent journalists, etc.
Idk. Celebrities and Politicians usually have other vetted channels such as their own website or a website of their ogranization representing them. It should be basic journalistic work to see if their social media links link to the account in question or not.
So it is not given to a centralized authority, that is guided by for profit motives and also does the moderation of its plattform.
Where this can lead was shown with twiiter. The moment the central organization is captured, the central authority will abuse the authentification for its own goals. Then instead of just having to check for the authentification to be reliable you need to question everything that is on that plattform as a whole, which is infinetly more consuming, but also simply impossible.
This doesn’t appear to be given to a centralised authority. If the authentication process fails then it falls back to the previous method anyway. In reality most people won’t bother to authenticate if it involves any significant work.
idk man I haven’t seen anyone complaining about it on Bluesky
This is a net positive, nice to have a social media where verification checks are…actually used for verifying the person behind an account
Based on how verification was revoked for some users on Twitter based on their content rather than question of their identity, I’m cautious about this system turning into the status symbol it became on Twitter rather than the verification it claimed to be.
But isn’t the domain already doing that?
The problem with domains is that regular people would need to know what a domain is and what verified ownership says about the account in question.
Even then, reading domains is quite difficult, even for people who know about the topic: Humans are Bad at URLs and Fonts Don’t Matter
Excellent post as usual from Troy, but use Bitwarden, not 1Password
Personally I use KeePassXC + Syncthing, but Bitwarden/Vaultwarden is also a great.
What’s somewhat amusing, for lack of a better word, is that even that advice doesn’t fully resolve the issue, as Troy himself recently was the victim of a phising attack, where one part of the issue was that even legitimate sites changes their sign-in domains frequently enough that you kind of become numb to when the auto-fill stops working and just “correct” the issue without the necessary due diligence.
That link was a super interesting read!
I saw some small talk about it, and it really just boiled down to domain verification is great for more tech savvy folks, but trying to get larger accounts (think politicians, celebrities, etc) is a lot harder. Having a visual check, using tools within the app or site, is a lot easier.
And personally I like the idea of verification checks as long as it remains a simple means to do just that: verify the owner of the account. Morons like Musk and his ilk always thought it was a clout thing, and for a small minority that was probably the case, but by and large before he ruined it, it was great.
I feel like domain usernames are still inherently susceptible to phishing, you can get a typo or similar character to try and trick someone that your username is an official one
If they are, and there isn’t anything to display it, how are we to know what’s been vetted and what’s slipped through the cracks? Especially on a new account?
It’s the username so already quite visible.
For example someone at say, NPR, could use a name like @bob.npr.org which is only possible by verifying ownership of the npr.org domain name, so there is no need to vet anything.
That’s great for an organization like NPR which may have the resources to tie its own domain name into Bluesky. For some freelance reporter or otherwise verifiable person, I’m not sure it’s quite so practical.
Domains are dirt cheap.
And tying it to the Bluesky system? Not sure the cost of that (I swear I saw it was a potential monetization they were looking into) but also the time to figure it out isn’t practical for everyone.
I just bought a domain for $2
Congratulations. You did a great job ignoring the rest of what I had to say.
Domains only help you verify organizations and individuals you recognize directly.
This verification system also allows 3rd parties (it’s NOT just bluesky themselves!) to issue attestations that s given account belongs to who they say they are, which would help people like independent journalists, etc.
Idk. Celebrities and Politicians usually have other vetted channels such as their own website or a website of their ogranization representing them. It should be basic journalistic work to see if their social media links link to the account in question or not.
I’m not seeing the advantage of everyone having to do the same vetting process repeatedly.
So it is not given to a centralized authority, that is guided by for profit motives and also does the moderation of its plattform.
Where this can lead was shown with twiiter. The moment the central organization is captured, the central authority will abuse the authentification for its own goals. Then instead of just having to check for the authentification to be reliable you need to question everything that is on that plattform as a whole, which is infinetly more consuming, but also simply impossible.
This doesn’t appear to be given to a centralised authority. If the authentication process fails then it falls back to the previous method anyway. In reality most people won’t bother to authenticate if it involves any significant work.
Most of the complaints I’ve seen were about Bluesky’s lack of a formal verification system.
They could never figure out how the current system of checking the username.