this post was submitted on 19 Jun 2023
24 points (100.0% liked)

Technology

58458 readers
4586 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s
[email protected]
[email protected]
[email protected]
enu
[email protected]
L4s
24
Would digital signatures be a useful feature in lemmy? (lemm.ee)
submitted 1 year ago by [email protected] to c/technology
13 comments fedilink hide all child comments
 

One of the things I'm cautious about when it comes to lemmy (and mastodon) is how easy it can be to lose control of your account.

For example, a server could shut down unexpectedly making hundreds of people lose their accounts. Or, a malicious administrator could take over a popular account to post scams or propaganda. I am not aware of these things having happened, but I don't think they're too far fetched.

Self-hosting a lemmy server solves some of these problems, but that takes a bit of time, effort and money.

I was thinking about email encryption, specifically the digital signature part. Could something like that be used in lemmy? So that if someone decides to "trust" me, they will be able to trust that it's me no matter which account I post from. They would be able to spot an impostor who had gained access to my account.

What do you think?

you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 0 points 1 year ago (1 children)

That's a good point, about browsers. I still think it's a worthwhile feature to think about.

I guess what it boils down to is that I think server admins should be able to control how users access their server but that each user should in some way own their account.

[โ€“] [email protected] 1 points 1 year ago

I agree that everyone should own their account, but I don't think there is a feasible way of defending against server admins.

This would be like trying to defend against your hardware manufacturer or against Microsoft on a Windows PC.

And even if the signing is somehow safely implemented, you run into an entirely different set of problems.

Who checks the certificate? All federated instance servers? Then how do they verify that they can trust that certificate? You can't set a certificate in the user profile, since this can be overwritten by admins.

You could have an external service that links certificates and user accounts, but now you need to trust those admins, too.

Should users check it themselves? Do you really care, if this comment and the previous one were both written by the same person? Of course, if you and I both know each other, we could exchange certificates and verify them manually. But at that point I might as well give you my E-Mail, Discord, different instance Username, Facebook profile, whatever and I can simply tell you that the admins of my instance started acting malicious.

Think about it this way: If you don't trust you E-Mail Provider, why would you sign up on that server? You're trusting the admins there too, and E-Mail content is a lot more sensitive than a few public messages.