this post was submitted on 19 Apr 2025
734 points (95.6% liked)

Technology

76339 readers
4266 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots


founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] Mars2k21@sh.itjust.works 120 points 6 months ago (3 children)

idk man I haven't seen anyone complaining about it on Bluesky

This is a net positive, nice to have a social media where verification checks are...actually used for verifying the person behind an account

[–] cyrano@lemmy.dbzer0.com 28 points 6 months ago (5 children)

But isn’t the domain already doing that?

[–] nekusoul@lemmy.nekusoul.de 32 points 6 months ago (2 children)

The problem with domains is that regular people would need to know what a domain is and what verified ownership says about the account in question.

Even then, reading domains is quite difficult, even for people who know about the topic: Humans are Bad at URLs and Fonts Don’t Matter

[–] 01189998819991197253@infosec.pub 4 points 6 months ago

That link was a super interesting read!

[–] lagoon8622@sh.itjust.works 3 points 6 months ago (1 children)

Excellent post as usual from Troy, but use Bitwarden, not 1Password

[–] nekusoul@lemmy.nekusoul.de 1 points 6 months ago* (last edited 6 months ago)

Personally I use KeePassXC + Syncthing, but Bitwarden/Vaultwarden is also a great.

What's somewhat amusing, for lack of a better word, is that even that advice doesn't fully resolve the issue, as Troy himself recently was the victim of a phising attack, where one part of the issue was that even legitimate sites changes their sign-in domains frequently enough that you kind of become numb to when the auto-fill stops working and just "correct" the issue without the necessary due diligence.

[–] spongebue@lemmy.world 19 points 6 months ago* (last edited 6 months ago) (1 children)

If they are, and there isn't anything to display it, how are we to know what's been vetted and what's slipped through the cracks? Especially on a new account?

[–] MangoPenguin@lemmy.blahaj.zone 8 points 6 months ago* (last edited 6 months ago) (1 children)

It's the username so already quite visible.

For example someone at say, NPR, could use a name like @bob.npr.org which is only possible by verifying ownership of the npr.org domain name, so there is no need to vet anything.

[–] spongebue@lemmy.world 10 points 6 months ago (1 children)

That's great for an organization like NPR which may have the resources to tie its own domain name into Bluesky. For some freelance reporter or otherwise verifiable person, I'm not sure it's quite so practical.

[–] FourWaveforms@lemm.ee 1 points 6 months ago (1 children)
[–] spongebue@lemmy.world 1 points 6 months ago (2 children)

And tying it to the Bluesky system? Not sure the cost of that (I swear I saw it was a potential monetization they were looking into) but also the time to figure it out isn't practical for everyone.

[–] FourWaveforms@lemm.ee 1 points 6 months ago (1 children)

I just bought a domain for $2

[–] spongebue@lemmy.world 1 points 6 months ago (1 children)

Congratulations. You did a great job ignoring the rest of what I had to say.

[–] FourWaveforms@lemm.ee 0 points 6 months ago

I think it's practical for most people to pay $2 for that

[–] tombrandis@reddthat.com 1 points 5 months ago

free (or at least it was when I did it)

[–] thekerker@lemmy.world 17 points 6 months ago

I saw some small talk about it, and it really just boiled down to domain verification is great for more tech savvy folks, but trying to get larger accounts (think politicians, celebrities, etc) is a lot harder. Having a visual check, using tools within the app or site, is a lot easier.

And personally I like the idea of verification checks as long as it remains a simple means to do just that: verify the owner of the account. Morons like Musk and his ilk always thought it was a clout thing, and for a small minority that was probably the case, but by and large before he ruined it, it was great.

[–] BackwardsUntoDawn@lemm.ee 11 points 6 months ago

I feel like domain usernames are still inherently susceptible to phishing, you can get a typo or similar character to try and trick someone that your username is an official one

[–] Natanael@infosec.pub 6 points 6 months ago (1 children)

Domains only help you verify organizations and individuals you recognize directly.

This verification system also allows 3rd parties (it's NOT just bluesky themselves!) to issue attestations that s given account belongs to who they say they are, which would help people like independent journalists, etc.

[–] Saleh@feddit.org 1 points 6 months ago (1 children)

Idk. Celebrities and Politicians usually have other vetted channels such as their own website or a website of their ogranization representing them. It should be basic journalistic work to see if their social media links link to the account in question or not.

[–] BeardedGingerWonder@feddit.uk 1 points 6 months ago (1 children)

I'm not seeing the advantage of everyone having to do the same vetting process repeatedly.

[–] Saleh@feddit.org 1 points 6 months ago (1 children)

So it is not given to a centralized authority, that is guided by for profit motives and also does the moderation of its plattform.

Where this can lead was shown with twiiter. The moment the central organization is captured, the central authority will abuse the authentification for its own goals. Then instead of just having to check for the authentification to be reliable you need to question everything that is on that plattform as a whole, which is infinetly more consuming, but also simply impossible.

[–] BeardedGingerWonder@feddit.uk 1 points 6 months ago

This doesn't appear to be given to a centralised authority. If the authentication process fails then it falls back to the previous method anyway. In reality most people won't bother to authenticate if it involves any significant work.

[–] airportline@lemm.ee 16 points 6 months ago

Most of the complaints I’ve seen were about Bluesky’s lack of a formal verification system.

They could never figure out how the current system of checking the username.

[–] setsneedtofeed@lemmy.world 12 points 6 months ago

Based on how verification was revoked for some users on Twitter based on their content rather than question of their identity, I'm cautious about this system turning into the status symbol it became on Twitter rather than the verification it claimed to be.