Asklemmy

43995 readers

1339 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

Open-ended question
Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
Not ad nauseam inducing: please make sure it is a question that would be new to most members
An actual topic of discussion

Looking for support?

Looking for a community?

Lemmyverse: community search
sub.rehab: maps old subreddits to fediverse options, marks official as such
[email protected]: a community for finding communities

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago

MODERATORS

[email protected]

Can you steal a user's identity if you gain their old domain name? (self.asklemmy)

submitted 1 year ago by maggoats to c/[email protected]

28 comments fedilink hide all child comments

Just a random thought experiment. Let's say I have my account on a lemmy instance: [email protected]. One day I decide to stop paying for the domain and move to [email protected], and someone else gains it and also starts up a lemmy instance.

If they make their own [email protected], how do federated instances distinguish who's who?

Have I misunderstood the role of domain names in this?

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

I imagine it works exactly like email where it is possible to inherit someone else's expired domains.

Checking out the relevant specifications: ActivityPub and WebFinger

Both of them identify users by URL, there is no numeric ID, UUID, or public key.
Using IDs or UUIDs would not be secure since the imposter could just copy the ID from the previous user as well as the username and domain name.
Verifying identity would necessitate the user having a public key as their unique identifier, and federated servers performing a challenge-response that requires the user to have the corresponding private key for that public key.

In conclusion, it certainly seems like you could take over someone else's domain name, and I suspect that public key cryptography is the only way to avoid this.

(edited to add: expired domains aren't the only attack surface here, domain takeover is also a thing, either by transferring the domain or simply changing the DNS records.)