Csaba Gálffy
Jonty WareingIt turns out you can simply serve a file from a domain to use it as your bsky handle.
So this guy is now S3. All of S3.
let's regular posting@jonty lmao this rules
Graham Sutherland / Polynomial
Jae Bloom@jonty LMAO!!!!!! That is actually brilliant!!!! 🤣
Jesse Karmani@jonty this is fiiiine. bluesky is filled with very smart people and therefore they don’t need to participate in open standard groups before they just invent their own!
#Digital ⚓️ #Vagabond 🦈@jesseplusplus @jonty W3C's AP GitHub has 889 stars... 77 followers and 68 forks...
@reiver ⊼ (Charles) 
What file do you serve from a domain to take it over on BlueSky?
(I'm only used to the DNS TXT "did=" technique.)
Ok, he made:
https://s3.amazonaws.com/xrpc/com.atproto.identity.resolveHandle
Return:
{"did":"did:plc:imkvi5glxfcpaqcinktnbpwt"}
.
Andrew Drake
noop_noob@reiver @jonty
Documented (poorly) at https://atproto.com/guides/identity#handle-resolution and https://atproto.com/specs/xrpc#path
Documented (poorly) at https://atproto.com/guides/identity#handle-resolution and https://atproto.com/specs/xrpc#path
Nahga@jonty
that is proof, ya messed up bksy
that is proof, ya messed up bksy
Merlin.2160p.BDRip.x265.10bit@jonty i wanna be raw.githubusercontent.com
who the hell is duc? 
@jonty wait i thought people were putting in domains as a kind of style lol
what's the point if it's on a single server atm
what's the point if it's on a single server atm
Charles Johnson@jonty oopsie!
Chris Partridge@jonty so jealous i'm not all of s3 :(
Pseudo Nym@jonty Bug Bounty?
@jonty if only there were a well-known way to avoid these problems
Alfonso UrdanetaWe can only dream
Vegetable Gremlin ⍼👻@jonty that is hilariously stupid
Defiance!@jonty Moving fast and breaking things! 🤡
Nafnlaus 🇮🇸 🇺🇦
Grampa
Jeremy Kitchen
BenderIsGreat34@jonty is this an example of 10X engineering?
Dmitri | 🇺🇦@jonty Ahahahah ok so over on the did:web spec, there are people arguing that you shouldn't be able to serve DID documents off of sub-directories, top domain only! I'm gonna show them this screenshot! :)
Eric Vitiello@jonty lololol
ch0ccyra1n is leaving fedi soon
Chema Hernández Gil
Major Hayden 🤠@jonty Absolute gold. 🏅
Lotus 🔞⛓🏳️🌈🐘@jonty what could possibly go wrong 🤷♀️
AT-AT Assault 🏳️⚧️Can you ELI5 for those of us not educated in what I think is networking protocol?
Nirro@atatassault @jonty disclaimer: I haven't fact-checked anything I'm about to say and have never interacted with bluesky.
It seems that there's some verification proccess to claim a handle that consists on putting up a file somewhere on the Internet.
People seem to be abusing this by putting up these files in file hosting services, claiming handles in domains they don't own but that allow to upload arbitrary files.
fbievan@nirro @atatassault @jonty that is kinda funny... Both an issue with the security of that site and bluesky's verification... Tbh just do what the fediverse did and use HTML headers...
Walker Boh🛡@jonty LOL its going well then
Pablo Martini@jonty he has low expectations!
Skylar Caulfield 
@jonty this is great lmao
Michael Stanclift@jonty this is truly wonderful.
Shirley Eugest@jonty 🤪 🤨
oops
oops
(Chris Davis)@jonty hilarious, I sat next to chaz for years
Julian Lam@jonty all the more reason for a camo proxy! Yeesh ...
Colin@jonty @aurorapenguin serve a file? All I saw is that you need to add a DNS record for the domain in question.
It’s such a stupid “feature” though. Makes it look like it’s a self-hosted instance, nopeeeee.
Oblomov@jonty I wonder what happens if two accounts do the same
ok so I looked into this:
to change your handle in bluesky you need to call the updateHandle function which passes through some things. first it validates if the handle is valid. assuming you have a handle like s3.amazonaws.com, that's not one of the "supported domains" in bsky.social's pds (instance) so it has to go through an extra function called resolveExternalHandle. it will first check if it has a txt record with did={did} where..
@jonty @atatassault
did is a user id. if it fails, then "no worries it's just not found". then it calls the xrpc for what the did should be
so if you look at s3.amazonaws.com, the xrpc would be https://s3.amazonaws.com/xrpc/com.atproto.identity.resolveHandle. which funny enough returns a did that's equal to Chaz Schlarp's
so this isn't possible unless you can create /xrpc/com.atproto.identity.resolveHandle, so no cdn.discordapp.net or gist.github.com. still, really funny
you don't need to have a pds running to verify your domain, but it's a failsafe in case the dns doesn't work
what I am currently looking into is how to fix this lol, it's obviously intentional but I can't seem to see why and obviously if you can control what the domain is then you can impersonate the domain itself. which makes me wonder if other object storages are at risk
Fladdle@jonty This looks great! I have no idea what it means.
Osma A 🇫🇮🇺🇦@jonty Absolutely beautiful! They design the verification to work on DNS, but then create a fallback that does NOT use DNS - yet validates domains.
WebFinger as it is used here isn't much better, but its saving grace is that it validates [email protected] profiles, not naked domains.
WebFinger as it is used here isn't much better, but its saving grace is that it validates [email protected] profiles, not naked domains.
John McCrylin@jonty I don't understand
Sominemo@jonty ATP is a joke.
Jan@jonty Overpromise and underdeliver.
Kid Codes@jonty Dis is funny, makin' things look broken, like a compootah prank! 🤖🤪 It's like puttin' googly eyes on my toys n gigglin' when they look all silly n wonky! 😄💻 #KidCodes #CompootahPranks
[Yaseenist] CauseOfBSOD 
@jonty this should have definitely been a TXT record in the DNS rather than a file on a website
(or force the file to be in .well-known I guess, like Lets Encrypt does)
(or force the file to be in .well-known I guess, like Lets Encrypt does)
pivotman319 🦊 
@jonty imagine being the entirety of ntdev.corp.microsoft.com
Gamarús
MikeK
TransitBiker@jonty idiotic
Dieu@jonty did bs just rip off the entire twitter design? That's what it looks like.
austin, not your sweet baboo
João Tiago Rebelo@jonty has anyone made an "all your S3 are belongs to us" joke yet?
Danielle Navarro@jonty Until this exact moment I have never ever wanted quote toots but omg now I really really want to editorialise...