- cross-posted to:
- fediverse@lemmy.world
- cross-posted to:
- fediverse@lemmy.world
You must log in or register to comment.
I just saw this on Reddit yesterday and now I’m here again.
Using phtn.app and Voyager.
I love Lemmy and Voyager and the Fediverse. That said, if it were to become mainstream I forsee some problems. The fact that the login relies on only passwords is pretty terrible. Also, this makes the service vulnerable to bots, sock puppet accounts, brigading, etc.
Lemmy supports 2FA lol.
(At least on the web UI it does)
What would you propose replace passwords to not be susceptible to those things?
I personally like how secure and non intrusive passwords are, especially when using a self hosted password manager synced with git.
Passkeys are much better. Unlike what FAANG companies want you to believe, they do not have to be tied to a device. Use a password manager that supports them (BitWarden) and pretty much never get hacked again because of a password. Website doesn’t need to store anything that an attacker can use. No downside.
Any recommended reading for pass keys to get me up to speed? I use Bitwarden and have been happy enough with just passwords via that for a long time now. Only time I’ve seen pass keys mentioned really was Google trying to push it on me but I don’t use their password manager.
A passkey is a public/private key pair used instead of a password. You store the private key, and the website stores the public key. Data encrypted with the public key can only be decrypted by the private key, and vice-versa.
This means you can share the public key freely with the website, and even if they get hacked and the public keys are stolen, they’re useless.
When you log in, they send you a challenge encrypted with the public key, and since you hold the private key, you can decrypt it, create a response to it, re-encrypt it with the private key, and send the response to the website; which then decrypts it with the public key to verify it.
The initial spec was that each device would have its own passkey and store it in a TPM (that thing Microsoft requires your computer to have for Windows 11), which is a secure memory storage location that only the kernel can access.
However BitWarden is also able to store them and make them portable. (I think the standard was loosened to allow for this? But don’t quote me on that.) So, now you can have one passkey for the site and it works anywhere you can use BitWarden’a browser extension.
TLDR: more secure than a password, nothing to forget, stops passwords being stolen.
2FA support would be better
Lemmy does support 2fa
oh. Nevermind then. I think this should be enough. maybe OpenID Connect support would be nice
It is hard to do well which is why I worry. Google probably has the best overall account security, you could fo worse than modeling after them.
The short answer to your question is Passkeys. But you need a whole system of account recovery around them.
Oh, you can easily bypass passkeys with automation. Don’t even need an image recognition model, just a QR-code scanner like
zbarimg.But i never tried googles passkey feature since it never seemed as secure as a 48 char computer generated password. So I’m not sure exactly how it works.
Go read the FIDO threat model if you want to understand how it protects against specific attacks. It is pretty secure.
https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-security-ref-v2.0-id-20180227.html
That’s a pretty wild claim. It almost sounds like you don’t know what a passkey is. Explain.
Oh I don’t know what it is, sorry I thought I made that clear. But a quick search on the internet said it was basically 2fa with a qr code and since the issue was how it would protect Lemmy from bots I just thought it wouldn’t be hard for a bot to read a qr code.
Bruh that’s gotta be one of the worst trains of thought I’ve seen recently ngl. I don’t even know how passkeys work and I know that. Based on your understanding, you could log into someone’s account just by reading a QR code. Which of these is more likely:
-
The entire cybersecurity community mysteriously and completely forgot that machines can read QR codes (which is, by the way, literally the entire purpose of a QR code)
-
You don’t understand how passkeys work
How arrogant do you have to be?
Well again, the claim was that somehow passkeys would stop Lemmy from being flooded by bots.
So in that situation, we aren’t talking about hacking. We are simply talking about if a login could be triggered programmatically. So if Lemmy required passkeys to be used instead of passwords. And if the passkeys required scanning a QR code to sign in. I imagine It would provide minimal disruption to an automated login.
Now if the passkeys somehow enforced a real human to do something that only a human could do, then yes it would stop an automated registration/login. However if it’s possible to automate then it wouldn’t stop bots.
-
The problem is that it’s “too complicated“ by presenting choices before knowing what they mean. It’s a decision tree without knowing the outcomes.
I’m new to Lemmy and it wasn’t as easy to sign up and use as Reddit or other social networks.
First I had to choose a server. To do that I had learn the consequences of choosing a server. Once I decided .ml had a sign up process where I had to be approved.
Then I wanted to choose a community, I think it’s called, and found there were multiple communities with the same name. Once again I had to make a choose without knowing the difference.
It all reminded me of the Paradox of Choice TED talk, https://www.ted.com/talks/barry_schwartz_the_paradox_of_choice .
Finally I had to choose an app, as there is no official one. Now I’m in Mlem, but I don’t know if it’s better or worse than the others.
Choice is great but for easier onboarding a first stop for server and app would be great. Like browser, you’re given one when you start and if you want better, and you’re ready too look for one, you can go looking.
If you choose the app first, and you choose Voyager, everything else - browsing, creating an account - is intuitive and just works.
Even though it’s first on the list when searching on the iOS Appstore I didn’t choose it because the icon looks… well stupid.
Yeh don’t choose that one, just sign up on desktop and use Jerboa ngl the reason techbros win is most normies do not want agency, they want to turn their brain off and scroll whatever the algorithm serves up as they do.
Technology Connections made a good video on this recently but I fear his plea will fall on deaf ears.
Just like this article, no one’s actually denying anyone the fediverse, we are literally right here.
For the uninitiated it’s basically a 1:1 clone of Apollo for Reddit. Hell, even the app’s name is derivative!
That said it’s still one of the best Lemmy apps for iOS and is a testament to Christian Selig’s original vision.
There is an issue open on Lemmy’s github about merging communities of the same name together in the ui by an “all” button, but sadly it’s been inactive for a year: #1113
I wonder how moderating would work in a merged community, would mods not from instance X only be able to hide a post from that instance from the merged community, or would they have power to remove a post from another instance? I’d imagine that is one of the hiccups of a feature like this, it is a shame it has been collecting dust though
Edit: re-read the issue, now I understand it would be more of a multi Reddit than a merged community, so mods would only have the power for their own instance/community it sounds like
That’s more a feature for a client app.
I mean, people do use the Web UI.
There’s more than one web UI.
I’m not in a rush to endorse client apps adding large, experience changing features. That will radically alter the way different users interact with the service, they might need two apps to get all the features they want, etc
Sounds like a good way to make things even MORE confusing for new users.
I’ve been on Lemmy for a while and still find the duplicate named communities on different insurances confusing. The number of users only somewhat. There are lots of communities still listed from dead instances like feddit.de.
Unique names for communities would be helpful and also support moving a community to a new instance.
Community names are unique if you account for the instance name.
This is a bit confusing as usernames follow a similar, email-address-like format.
I would enjoy there being just one community for a given topic that spans all instances, and moderators can either take actions that are instance specific or “global” (happen everywhere) but again that can get complicated fast. Who gets that global power? What if there are disagreements? Can an instance revoke a global action for just their instance? How much extra work does that create? How do instances handle backend storage for stuff like that (do you want CP deleted globally? I’d imagine so because it’s illegal to store it. Who decides to block an instance out of a community for posting offensive/illegal content; and how do you prevent all that from being abused for non-offensive content that instance mods find disagreeable?)
Finally I had to choose an app, as there is no official one
It’s called Jerboa and it’s one of the worse ones, but it does exist
Jerboa
What makes it official, I didn’t come across it when I was searching for an app. I finally see why all the other apps use a rat as their logo.
What’s the issue with Jerboa? It’s like Relay it’s probably the best one out there.
Anyone want to clue him in on who runs .ml? I feel like it’s going to break his heart. But also, I kinda feel like he should know…
Please tell us! I personally have no idea
There’s some accusations of bias / pro CCP moderation on .ml
There’s some stuff about it here: https://news.ycombinator.com/item?id=36255366
But I haven’t directly experienced any of this myself so I can’t speak to the truth of it. Idk.
The ml stands for Marxism-Leninism. They are tankies.
ml is the Internet country code top-level domain(ccTLD) for Mali.
Well the folks over at .ml aren’t from Mali or host their server there.
This is completely untrue and I don’t know why people keep repeating this.
Lemmy.ml used to be the biggest instance and absolutely full of pro-russia people and shit (Lemmy was in general, lemmygrad was the second biggest instance behind ml) so it wouldn’t suprise me
Because people with the @lemmy.ml tag are constantly saying the dumbest tankie shit ever.
When I see someone say Ukraine in 2014 was a CIA backed coup against the democratically elected pro russian government - it comes from that server, every time
The lead developers of Lemmy. They also develop the mobile Lemmy app Jerboa (personally, not my first choice).
What’s wrong with Jerboa? Probably the only app I’d use for Lemmy.
On the other hand, there is something to be said for having a small test before joining. I remember Usenet before and after it became accessible to AOL users.
Finally I had to choose an app, as there is no official one. Now I’m in Mlem, but I don’t know if it’s better or worse than the others.
I’m just here from Reddit after the Boost app finally stopped working. So now I’m running “Boost for Lemmy”, would definitely recommend it. It was one of the best 3rd party Reddit clients.
I did always think that a shared (somehow) login would be great; but how do you federate that? Do you? What if the original server goes down? How does moderation work?
It gets really complicated really fast.
I registered using Mlem and it was way better than trying to do it via the Web. An onboarding like that would be much better than the current process.
As someone new here, what do you think would have really helped you without changing the fundamental principles of the fediverse? Like a website with clear information, or something else?
The problem is information, there is simply too much. I decided to join social network other than reddit. From that to posting on lemmy should be a one step process. 1 signup page 1 app recommendation
Really I should of just written Lemmy.com instead of being distracted by the whole concept of fediverse and looking into it before signing up.
I really like how voyager does the onboarding, maybe we should promote going trough that.
I think we need simple, non technical content that gets people who haven’t used the fediverse stoked to find out more and try to get involved. That’s what I’m trying to do with articles like this - add momentum and tap into a big potential audience who are primed for this. But I also do want to put together a Getting Started landing page that helps people kick off.
I really do think we need to get people pumped enough to want to be educated about it all.
This article was great! Thank you so much for writing it.
Any thoughts on
I haven’t really used it since I wanted to populate my Mastodon timeline. Now it’s happening a little bit more naturally, through boosts and hashtags.
What’s Mlem? Can’t find it on the Play Store. I’m using Sync which is pretty good…
probably because it’s an iOS app
Lost futures we finally created.
