Who owns your domain name? Hint: it’s probably not you. Your hosting provider could take down your domain, or even steal traffic and direct it to their own IPs
This cheap criticism of the headline doesn’t actually apply to the problems brought up in the article:
> Your PDS operator can post as you, like things as you, follow people as you, and it would be cryptographically indistinguishable from your real activity. The signatures are valid.
Your domain name owner or DNS provider cannot redirect your domain name to a different server and cryptographically impersonate you.
Kind of. Your PDS can impersonate you but you can have higher ranked "recovery keys" that can undo/recover all the damage.
Socially whether you can explain off that your PDS acted maliciously or that it was hacked or whatever is a different story but if you keep recovery keys for your DID you can take back control and undo everything your PDS did that you didn't authorise pretty trivially. The UX for it needs to be improved but technically the process is super simple/straight forward.
And those recovery keys provide a mechanism for declaring "hey i didn't do this I was hacked" on top of specific events but nothing for taking advantage of that cryptographic opportunity has been built out yet.
Still not the same thing as in the article. Server side TLS certificates are widely understood to be tied to the current owner of the domain.
In a social protocol or context, I would expect a private key to be in the private control of the individual, such as when someone uses their private key to sign an email or git commit.
The purpose of signing your emails or commits is to provide a good indicator that it actually came from you, not someone who managed to get access to your email account at the time.
> The purpose of signing your emails or commits is to provide a good indicator that it actually came from you, not someone who managed to get access to your email account at the time.
This is true and it's still true in the ATProto ecosystem but in a different context.
It asserts that events and records are authored by your PDS, not by you specifically. Which is certainly closer to the intent of TLS certs.
And technically you can maintain a PDS proxy that can only host, broadcast events, and receive content but that doesn't have any keys or signing capabilities.
Then you can have a local PDS that does your signing and sends signed events and records (basically signed state updates) to the PDS proxy to actually emit to the network. This then allows you to lock your keys behind a hardware key to better lock everything down. Of course there are trade offs to this. If it requires physical auth then it can only work on one device at a time or you have to self host it homelab style at which point it might just make more sense to host the PDS yourself anyways.
There's a project thats working on this very thing but I've not kept up with it and I can't remember what the name of it is. If any ATproto people in the comments knows the name/link feel free to reply under this to enlighten me + everyone else.
If you use your private key to sign your commit, I don’t see how your PDS can impersonate it. There are different layers here. Your commit is still signed by you and non-impersonatable by the PDS operator. But the ATProto layer signing is under control of the PDS. So in that case you’d see either unsigned or differently signed git commits being reported at the ATProto layer as by you.
That seems entirely normal. The PDS handles ATProto actions but it cannot modify the git signature (obviously!). It’s no different than the fact that GitHub can post that you’ve committed a “verified” badge commit by adding a new signing key to your account and signing new commits with it.
The storage entity can always claim power over this by reporting a new key and signatures with that key. Seems entirely normal.
This is why your DNS hosting provider, despite not being the "current owner of the domain", being able to impersonate your site (terminate a cryptographically secure TLS session) with your customers is a similar problem.
I do agree they're not the same but the trust and risk are very similar.
Do you use your own CA? Would you expect users to even notice if the certs were suddenly issued by LetsEncrypt? Or are you signing traffic using something other than TLS, where the domain name doesn't really matter anyway?
Right, if Bluesky ever does do something hinky with your PDS, the operation will be signed with their key and persisted in the operation log which they're unable to touch. You can outright remove Bluesky's key if you want, though I think that only works within some number of days of creating it.
If its an Onion (Tor) hostname, you absolutely do own it. Sure, its not memorable being a 128 bit hash. And nobody else can impersonate nor take.
And for lower bandwidth tasks, Tor Onions can't be beat. Just make sure to use 2fa on services you offer to keep the trash out. Things like fail2ban don't work the way you intend.
Yes you do own your domain, as much as you can own your house. Your hosting provider can only take down your hosting, not your domain. Seizing domain names isn't very common. And by the way, with Web3 domains, you have full ownership via your own private key, with no need to pay rent. Is it possible to lose your house that you own? Yes. It's far more rare to lose a domain you own, by it being seized.
DNSSec is used to prevent unauthorized stealing of domains. Furthermore, if someone does steal one domain you own, they don't steal all your accounts across all domains. If they take over your hosting, that's a fixable problem -- you just repoint the domain.
Now, having said that, I designed the Safebox exactly to prevent these scenarios from happening, and create an actually solid foundation for decentralized social networking, AI workloads, etc. If anyone is interested, probably the best link to begin reading about it is: https://safebots.ai/about (If you do, I'd love to hear your thoughts)
Right, but neither do these problems apply to domains, as much as they apply to ATProto accounts.
You don't even have the frameworks that are available to protect domains. (Domain lock, transfer, etc.) And registrars are regulated by laws and frameworks in ways ATProto hosts aren't. Don't get me wrong, if a registrar transfers your domain due to a social engineering attack on the registrar, then you might lose it (an attacker almost did this to me once via a SIM swap, and I had to call GoDaddy to prevent the transfers). But that's not the same as, say, hacking the web hosting server.
In any case, tptacek, Safebox is supposed to solve these actual problems, by making sure no one can actually get into the box (no ssh, etc) so it's a "neutral ground" that no one can really "own", "redirect", steal keys or impersonate you. If you read https://safebots.ai/about you'll see what I'm talking about. If you do, I'd love to read any feedback you might have, given your background in security!
Seizing domains is a lot more common than it used to be though, enough that it's a real concern for me personally, and I'm not sure there is a viable solution at the moment. There is also the concern of countries/governments or specific ISPs simply blocking access to one's domain in various ways... and the number of authoritarian regimes that have been blocking large portions of the Internet has only grown with time.
And regarding DNSSEC... if your domain is taken by the registrar (court order, ToS violation, etc.) or a government that can command the parent TLD to act, they can just revoke your old key and transfer the domain to someone else (or setup a placeholder under their own DNS) and now your protection and all concept of ownership is completely gone without your consent. This happened a few years ago with Epik seizing the soyjakparty and kiwifarms domains, including their hosting from a subsidiary company Terrahost... and KF has never even lost a lawsuit, but there are some specific people that really don't like them, and have gotten adept at claiming ToS violations via every possible company that touches them in order to try to make them go away.
> Yes you do own your domain, as much as you can own your house
Uh, no.
I can legally shoot and kill intruders due to castle doctrine and stand your ground laws in my physical home. And legal invasions require being in front of a judge and a search warrant.
A domain can be seized for 'terms of service' (aka kangaroo court) reasons. Stand your ground nor castle doctrine doesn't apply to your digital house.
Domains typically can’t be seized for arbitrary ToS violations, as registrars who do this can lose their accreditation with ICANN (and thus their ability to host domains at all). If the registrar could “frame” you for something like DNS abuse then maybe they could justify a suspension, and if they don’t unsuspend it after you correct the issue, you’d have to file a complaint with ICANN to (hopefully) get it back. If something like this happened and became public, though, the registrar would lose tons of business, as people would develop doubts about the registrar’s reputation.
How many houses were actually seized, repossessed, commandeered with "eminent domain", slowly taken over via "adverse possession", encroached on with easements and air rights, and whatever else? Versus how many domains?
There is no violence on the internet. You can't shoot intruders. And that's a great thing.
Put in legal terms, you do NOT have this level of ownership to your house... and you certainly do not have sovereign immunity on your land: https://en.wikipedia.org/wiki/Allodial_title
What you are describing is more like the king of England being able to shoot people on his own property, and have full sovereign immunity (in theory, I mean recently a British prince was arrested on allegations of far less).
I'm not sure where you're from, but in my state, we have "Castle Doctrine" and "Stand your Ground" laws.
That means if you are a home invader, I can legally shoot and kill you. There'll be an investigation, but both statutes are affirmative defenses to killing.
Its not that I want to, or look forward to it. I don't, and I hope I never have to. But I will, if I'm forced.
> Your PDS operator can post as you, like things as you, follow people as you, and it would be cryptographically indistinguishable from your real activity. The signatures are valid.
Your domain name owner or DNS provider cannot redirect your domain name to a different server and cryptographically impersonate you.