Dave Winer ☕️It's nice to start over on Masto. When someone you haven't thought of in ages follows you it's a chance to think about them again. Which is often nice.
John Gruber@davew Have you been able to figure out why your Mastodon profile link to Scripting.com isn’t “verified” yet? I’m looking at Scripting.com’s HTML and I don’t see why it isn’t working. I saw you were looking into this the other day.
Jake in Oregon 👾 
@gruber @davew HTTPS links are required for verification, per the official docs at https://docs.joinmastodon.org/user/profile/
Colin Devroe@cdevroe For spoofing attacks, start here:
https://en.wikipedia.org/wiki/Man-in-the-middle_attack
Now, when you bring this up to most IT pros, they'll say "But, that's so unlikely, and the attacker has to be in a special place on the network.".
But these attacks can take place anywhere along the chain, from browser extensions to on-the-wire to caching, to CDN, to destination infra.
There's also another class of attacks it prevents, but it's complicated, I'm on vacation, and it won't fit in a toot anyway. 😄
@cdevroe @davew @gruber Again, you have to think about the whole chain for attacks. And don't think Dave, think heads of states and F500 corps.
Here's how I'd actually MITM it for my 40,000 users on our network equipment. (and yeah, there's a CSS spacing bug for the forwarded server.).
Then, on evilserver.org, I'd have some code that met my goals.
You would do something similar to attack different points in the chain, depending on what your exact goals and jail time tolerances were.
@codejake It just so happens that my jail time tolerance is something less than zero. Thanks for the follow-up. Fascinating.