Funnily enough seems everyone is coming at this from the wrong angle personally. I don’t give af who I’m talking to sure, and I can confirm the instance if I must by clicking into their profile.
That said, I more so care about someone pretending to be me in an active thread. Like an active discussion or argument and someone decides to recreate your user on a different instanceand start inserting comments that confuse the discussion.
Or maybe you’ve stopped commenting, then someone else continues the conversation unbeknownst to you in your name.
i think this could be resolved by assigning a color to each user based on a hash. maybe people would try to find collisions there (i.e. specifically find usernames that get the same color as you), but if you do something like color_index = hmac(user_address, client_nonce) % color_count where client_nonce is unique to each client, it would be impossible to manipulate usernames to get a collision or even a higher chance at it.
yeah, the point is that if hyazinthe@feddit.de hashes to, say, blue, they can try to find a similar-looking username that also hashes to blue, therefore helping with the impersonation. if you hash a client nonce that’s different for everyone, you may hash to blue on my screen but green on yours, and there will be no relation between who hashes to which color on your screen or mine. the impersonator will have no way to guess if their name would match colors on either of our screens, and if we have, say, 25, colors, it will be a static 4% chance no matter what they do.
Ah, I understand. But couldn’t you just implement the unpredictable colors, you are trying to achive client-side, without hashing, say random order of colors?
Funnily enough seems everyone is coming at this from the wrong angle personally. I don’t give af who I’m talking to sure, and I can confirm the instance if I must by clicking into their profile.
That said, I more so care about someone pretending to be me in an active thread. Like an active discussion or argument and someone decides to recreate your user on a different instanceand start inserting comments that confuse the discussion.
Or maybe you’ve stopped commenting, then someone else continues the conversation unbeknownst to you in your name.
you’re right, it’s a security issue!
client UIs must make it easy to keep track of who is who.
i think this could be resolved by assigning a color to each user based on a hash. maybe people would try to find collisions there (i.e. specifically find usernames that get the same color as you), but if you do something like
color_index = hmac(user_address, client_nonce) % color_count
whereclient_nonce
is unique to each client, it would be impossible to manipulate usernames to get a collision or even a higher chance at it.The full user adress should suffice for the hash, because there is only one hyacinth@feddit.de, for example.
Also, do you really need a hash? Isn’t there a simpler alternative, developing an app?
yeah, the point is that if
hyazinthe@feddit.de
hashes to, say, blue, they can try to find a similar-looking username that also hashes to blue, therefore helping with the impersonation. if you hash a client nonce that’s different for everyone, you may hash to blue on my screen but green on yours, and there will be no relation between who hashes to which color on your screen or mine. the impersonator will have no way to guess if their name would match colors on either of our screens, and if we have, say, 25, colors, it will be a static 4% chance no matter what they do.Ah, I understand. But couldn’t you just implement the unpredictable colors, you are trying to achive client-side, without hashing, say random order of colors?
Why would anyone do that?
https://www.youtube.com/watch?v=YWdD206eSv0