mastodon
Verified profile via websites we don't have control over the markup
Pitch
I don't want to necro an old closed issue on this topic (#18290) but I think it's a really good discussion to have which I think we can achieve a solution for.
I propose since links are bi-directionally verified meaning you have to have the link in your profile and also in the target location that we allow them to use a query parameter to achieve the same.
To add further protection the user could be required to approve the verification of the link itself to their profile.
https://glasgow.social/@treybastian?rel=me would achieve mostly the same thing as <a rel="me" href="https://glasgow.social/@treybastian>Me</a>
Added with the safety of requiring user to approve the verified link I think this greatly improves the current situation.
Motivation
Youtube, Github, Twitter, and almost any other platform that an individual has control over and promotes wants to show that it's theirs along with that the Mastodon profile is also in fact theirs.
This provides a better mechanism of proof of identity for individuals that want it.
https://glasgow.social/@treybastian?rel=mewould achieve mostly the same thing as<a rel="me" href="https://glasgow.social/@treybastian>Me</a>
Except I could put https://mastodon.social/@ineffyble?rel=me in a tweet, get you to retweet it, and then it appears on your Twitter profile and I could verify your Twitter on my account, right?
Overlaps largely with #20143 I think.
Yes, I definitely missed this but this is a slightly different solution.
https://glasgow.social/@treybastian?rel=mewould achieve mostly the same thing as<a rel="me" href="https://glasgow.social/@treybastian>Me</a>Except I could put
https://mastodon.social/@ineffyble?rel=mein a tweet, get you to retweet it, and then it appears on your Twitter profile and I could verify your Twitter on my account, right?
Yes, that's why the 2nd part of this solution would further add protection.
To add further protection the user could be required to approve the verification of the link itself to their profile.
I think #20143 is also a great solution mind you, but I think this is potentially far easier to implement.
Not sure I understand how the second part would work. Which user would approve the verified link?
For what it is worth, I took a look at Twitter #19584 for a logged out browser (which the mastodon server doing the verification is) there is no apparent way to get to the bio of the user without doing multiple requests to get guest tokens - at which point it seemed like it was something that they don't want you to do.
Not sure I understand how the second part would work. Which user would approve the verified link?
The Mastodon user itself.
The verification only matters on the mastodon end, so the mastodon user whose profile it is verifies the link is true
For what it is worth, I took a look at Twitter #19584 for a logged out browser (which the mastodon server doing the verification is) there is no apparent way to get to the bio of the user without doing multiple requests to get guest tokens - at which point it seemed like it was something that they don't want you to do.
If Mastodon is in fact using browser automation this should be no issue. If it's doing API calls then the situation might be a bit more difficult, but I think still worthy of investigation.
Twitter requiring a redirect step is still not a no-go on this imo and doesn't preclude this functionality from working on websites like github, reddit, facebook, instagram, youtube and others that don't hijack your links through their URL shortener.
These are the type of things that are very important for people especially those with followings.
Except I could put
https://mastodon.social/@ineffyble?rel=mein a tweet, get you to retweet it, and then it appears on your Twitter profile and I could verify your Twitter on my account, right?
Another guard against this "attack" if you want to call out specific websites where this is an issue IE the URL showing up on someone's homepage because they retweeted it, you disallow link discovery in certain areas of markup like a timeline for twitter specifically since that seems to be the most challenging one here.
Mastodon's not using browser automation, that would be very tricky to scale. It's just pulling the HTML of the URL/link provided.
The verification only matters on the mastodon end, so the mastodon user whose profile it is verifies the link is true
Still not quite sure I understand how this isn't open to abuse. If I can get you to retweet a link to my Mastodon profile, and it happens to contain ?rel=me, then I am now able to impersonate you on Mastodon, because I can add your Twitter link to my Mastodon and it will show as verified.
For what it is worth, I took a look at Twitter #19584 for a logged out browser (which the mastodon server doing the verification is) there is no apparent way to get to the bio of the user without doing multiple requests to get guest tokens - at which point it seemed like it was something that they don't want you to do.
I'm curious where you are seeing that behaviour. I opened Twitter in incognito on my own profile and the bio showed up without any other interaction. If a headless browser is in fact what's being used here then the fact that multiple requests exist to render the page shouldn't matter.
A headless browser is not being used here, it's just a normal web/HTTP request with HTML parsing.
For what it is worth, I took a look at Twitter #19584 for a logged out browser (which the mastodon server doing the verification is) there is no apparent way to get to the bio of the user without doing multiple requests to get guest tokens - at which point it seemed like it was something that they don't want you to do.
I'm curious where you are seeing that behaviour. I opened Twitter in incognito on my own profile and the bio showed up without any other interaction. If a headless browser is in fact what's being used here then the fact that multiple requests exist to render the page shouldn't matter.
Look on the network tab, and figure out how you would do it from the command line with curl. Your browser gets the page with very little data, then gets some tokens and does a further call to the graphql api to get some JSON with the actual bio data in it, then it fills out the page. The request for verification happens on the mastodon server, there is no headless browser parsing the page and executing javascript, it is just http requests.
Got it I misread a previous comment about browser automation.
I'd say to start Twitter isn't the only website where this has an affect though a great point is that websites that don't render without JS will not work with this method.
I agree that an OAuth connection of some sort is probably better but there's definitely challenges there also as we saw in #19584
I think this is a valid problem to brainstorm on further though. Thoughts of an open protocol (OpenVerify or something) come to mind here, but barring that I'm going to think about this a bit more as the only real challenge with this proposal is SPAs.
I would make a case for doing something special in some circumstances, where there is a body of work to link to. So, for something like orcid.org which is where people can have a profile that collates academic papers they have authored the page is assembled post-load and doesn't work for verification, but we could get orcid.org/profileid/public-record.json and read the json representation of the biographical data that only the profile owner can control including the link back to mastodon. Could be done for websites that have completely different types of bodies of work like Strava or Etsy.
Related to https://github.com/mastodon/mastodon/issues/20030 (which is for cases where the user controls a domain name but not the markup of the site hosted on it)
(continuing discussion from duplicate)
If people were given option of adding a code to end of their name on page they want to verify (such as an Instagram etc account), this would appear in that page's title and verification could look for it there.
Is there any scenario where this could be hijacked or misused?
@FediVideos Yes, many. For example, if I link to https://google.com/search?query=VERIFY_CODE then I could get a verified checkmark for "https://google.com/search", when obviously I don't own Google.
Closing this in favor of https://github.com/mastodon/mastodon/issues/20030 to capture the potentially-actionable part of this feature request.
