this post was submitted on 05 Jul 2023

20 points (100.0% liked)

Asklemmy

1454 readers

76 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

Open-ended question
Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
Not ad nauseam inducing: please make sure it is a question that would be new to most members
An actual topic of discussion

Looking for support?

Looking for a community?

Lemmyverse: community search
sub.rehab: maps old subreddits to fediverse options, marks official as such
!lemmy411@lemmy.ca: a community for finding communities

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago

MODERATORS

Is impersonation a possible problem in the fediverse? (programming.dev)

submitted 1 year ago by ICastFist@programming.dev to c/asklemmy@lemmy.ml

14 comments fedilink hide all child comments

I mean, pretending to be someone in another instance, "stealing" the username, is trivial. I see the more likely targets being instance admins or high profile users. Should we worry somewhat about this?

top 13 comments

sorted by: hot top controversial new old

[–] sim642@lemm.ee 14 points 1 year ago (2 children)

That's why instance is part of the username. It's no different than email addresses.

[–] director@some.institute 5 points 1 year ago

Confusing similar domain names are a common thing with email. Micr0soft.com vs Microsoft.com. Same idea could be done with instances.

[–] skomposzczet@vlemmy.net 2 points 1 year ago

His concern is probably that in comments etc. only username is displayed. You have to go to person's profile to discover their instance.

[–] lvxferre@lemmy.ml 5 points 1 year ago* (last edited 1 year ago) (1 children)

It's a bit of a problem, indeed. Check my current display name as an example - I'm writing from a lemmy.ml account, but the display name impersonates another account in another instance (beehaw.org). Granted, both accs are owned by the same user, but nothing prevents me from doing it towards someone else's account.

Based on that, I think that:

the Lemmy software should not allow you to use "@" as part of your display name. Ever.
clients should always show which instance you're from, even with a display name. (A simple icon would be fine, as long as instance admins set up unique and identifiable instance icons.)
two accounts in the same instance should never be allowed to use the same display name.

And for us, users: never rely on the display name. If the identity of someone is contextually relevant, always check the actual username, not the display name.

[–] skomposzczet@vlemmy.net 4 points 1 year ago

Twitter implementation seems good enough. Big display name with smaller unique handle below. Might be a bit bloat, but solves the problem.

[–] BlackEco@lemmy.blackeco.com 5 points 1 year ago* (last edited 1 year ago)

Some other projects in the fediverse have a verification mechanism in place.

I personally like Mastodon's: if you add on your profile a link to a webpage that itself links to your profile, Mastodon will show a green checkmark next to the link: https://joinmastodon.org/verification

So you can verify your profile by linking to a webpage you own or testifies your account's authenticity (ie. your blog, your author page of the publication your write for, etc.)

Hopefully other projects (including Lemmy) will take inspiration from this process to limit impersonations.

[–] n2burns@lemmy.ca 2 points 1 year ago (3 children)

To me, this just seems like a variation of the age-old issue of online impersonation. In the early days of social media, there were people squatting on famous people's name/registering variations.

On my instance, admins are tagged as such which seems like a good solution. I wouldn't be surprised if we start seeing verification like on Mastodon, though I couldn't find any issues for this on their github.

load more comments (3 replies)

[–] hsl@wayfarershaven.eu 1 points 1 year ago

This was discussed deeply a few days back.

[–] Granixo@feddit.cl 0 points 1 year ago (2 children)

It's something we should be worried about everywhere we go online.

So try having at least 3 different passwords for personal accounts/websites and also contact moderators or support if you suspect your account has been compromised.

[–] Vlyn@lemmy.ml 3 points 1 year ago

So try having at least 3 different passwords for personal accounts/websites

That's an awful take. Grab a password manager and have a random password for every single account of yours. That way all you have to do is remember a single strong password and that's it. Instead of playing Russian roulette when one service you use gets hacked and someone gets a hold of your username / email and one of your 3 different passwords..

[–] n2burns@lemmy.ca 0 points 1 year ago (1 children)

So try having at least 3 different passwords for personal accounts/websites

That's terrible advice when password managers are a thing. Also, this is about impersonation, not credential theft.

[–] Granixo@feddit.cl 0 points 1 year ago

Not everyone has access/knows how to use a password manager.

load more comments