| ▲ | theamk 4 hours ago | |||||||
Is author new at the whole web thing? Yes, people trust remote web servers. Yes, if you link multiple apps to an identity server (be it atproto, google, or self-hosted OpenID server), and your identity server is compromised, attacker will be able to impersonate you or lock you out. This is just how the web works, and there is no easy around it without losing features people care about. Sure, you can do client-side encryption and pretend serve can't see the plaintext, but it's just a theatre, see Hushmail incident for example. And having people export uber-key by default is pretty terrible idea. Sure, allow advanced users (like post author) to do it. But for the common person, the exported key is just another way to get account compromised, via malware or backup provider hacking. Or if they are not backing up stuff, then the key will get lost next time they upgrade. | ||||||||
| ▲ | tarpitt 3 hours ago | parent | next [-] | |||||||
Are you new to the whole p2p thing? This is a terrible standard to hold new technology to. The web is broken. | ||||||||
| ▲ | Aurornis 4 hours ago | parent | prev | next [-] | |||||||
> Sure, you can do client-side encryption and pretend serve can't see the plaintext, but it's just a theatre, Keeping a private keep on the client to sign your activity is a fundamental cryptography practice. If you use a private key to sign your emails or git commits, it’s not security theater. If you were to have to upload your private key to GitHub or your email provider, that would be severity theater. > Is author new at the whole web thing? Unnecessarily mean comment. | ||||||||
| ▲ | logifail 4 hours ago | parent | prev [-] | |||||||
> This is just how the web works, and there is no easy around it without losing features people care about [...] Well, apart from using a separate email address for every single "provider"? (Spoiler: there's no way I'm going to sign into your service with a shared email ... you get <youservice>@<me>.com) | ||||||||
| ||||||||