Just a random thought experiment. Let’s say I have my account on a lemmy instance: userA@mylemmy.com. One day I decide to stop paying for the domain and move to userA@mynewlemmy.com, and someone else gains it and also starts up a lemmy instance.

If they make their own userA@mylemmy.com, how do federated instances distinguish who’s who?

Have I misunderstood the role of domain names in this?

  • heartlessevil@lemmy.oneEnglish
    1·
    1 year ago

    I imagine it works exactly like email where it is possible to inherit someone else’s expired domains.

    Checking out the relevant specifications: ActivityPub and WebFinger

    • Both of them identify users by URL, there is no numeric ID, UUID, or public key.
    • Using IDs or UUIDs would not be secure since the imposter could just copy the ID from the previous user as well as the username and domain name.
    • Verifying identity would necessitate the user having a public key as their unique identifier, and federated servers performing a challenge-response that requires the user to have the corresponding private key for that public key.

    In conclusion, it certainly seems like you could take over someone else’s domain name, and I suspect that public key cryptography is the only way to avoid this.

    (edited to add: expired domains aren’t the only attack surface here, domain takeover is also a thing, either by transferring the domain or simply changing the DNS records.)