Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
closewith 5 days ago

So you have read that page and understand its purpose is to link social media profiles for informational purposes, but don't understand that it's not suitable for any kind of auth, let alone in a software supply chain?

Ukv 5 days ago | parent [-]

By the XFN spec, it "demonstrates that the same person has control over [the pages]". The docs page I linked links to two further specs for using it for authentication in the way that Mastodon does.

closewith 5 days ago | parent [-]

I'm sorry. The XHTML Friends Network rel tag is neither reliable identification nor authentication. It's designed to say "this is my blog" in low stakes environments.

No sane sober person would use it to authenticate messages about changing URLs in a software supply chain.

nickv 5 days ago | parent | next [-]

No, if somebody has access to edit your home page directly, your blog, your company site, etc - you've already lost the game.

How is this any different than your email address being compromised? How is this different than having your laptop compromised and somebody downloading your .ssh folder?

The issue here isn't "is this reliable identification" - because it IS reliable. Your concern is "how likely is this to be compromised vs other things" and that's a fair concern - but there are plenty of very secure web sites out there. This isn't saying "I am john doe and this is my identity", this is saying with some confidence "this person on mastadon is the same person as the person who wrote this web site copy" and that's a totally fine piece of identification for the right context.

Ukv 5 days ago | parent | prev [-]

If an attacker has control over the page to edit arbitrary HTML, that chain is already compromised. Even if the attacker's exploit only allowed certain attributes, just the href and rel attributes needed for this protocol would already be enough to execute javascript and load stylesheets on that page.

This is in addition to the original site linking to the new one with a news post. Does that also mean nothing because an attacker could add a news post to the page?