Jonty WareingIt turns out you can simply serve a file from a domain to use it as your bsky handle.
So this guy is now S3. All of S3.
Elijahok so I looked into this:
to change your handle in bluesky you need to call the updateHandle function which passes through some things. first it validates if the handle is valid. assuming you have a handle like s3.amazonaws.com, that's not one of the "supported domains" in bsky.social's pds (instance) so it has to go through an extra function called resolveExternalHandle. it will first check if it has a txt record with did={did} where..
@jonty @atatassault
did is a user id. if it fails, then "no worries it's just not found". then it calls the xrpc for what the did should be
so if you look at s3.amazonaws.com, the xrpc would be https://s3.amazonaws.com/xrpc/com.atproto.identity.resolveHandle. which funny enough returns a did that's equal to Chaz Schlarp's
so this isn't possible unless you can create /xrpc/com.atproto.identity.resolveHandle, so no cdn.discordapp.net or gist.github.com. still, really funny
you don't need to have a pds running to verify your domain, but it's a failsafe in case the dns doesn't work
what I am currently looking into is how to fix this lol, it's obviously intentional but I can't seem to see why and obviously if you can control what the domain is then you can impersonate the domain itself. which makes me wonder if other object storages are at risk