You are reading content from Scuttlebutt
@andrestaltz %EQrVK/KKcdoRvEu0VtoLc1YSAOs+DNDLXflnn4pC0QI=.sha256

Request For Feedback

Tokenized Room Aliases

#ssb-room #ssb-rooms #ssbroom #rff #aliases

Hey folks, I think I discovered one improvement to room aliases and would appreciate some feedback. I'll try to give accessible explanations so that anyone could understand what this means.


Manyverse has two features that fight with each other: room aliases, and the connections firewall. Alias is a way for you to have a username on the web that anyone can use to connect with you. What a great thing, now anyone can super easily connect with you on SSB without all that crazy hassle! But the firewall is a way to prevent strangers from connecting to you, because you don't want bad people getting your data. Wait. Oh, now I see. Aliases become useless with the firewall.


Instead of sending to my friend that I want to bring onto SSB, I can instead send the alias plus a magic code created only for my friend. Like a password, kind of. So

Now when my friend tries to use the "tokenized alias", they will first ask the room to forward the token (the magic code) to me. At this point, my friend still cannot connect to me because the firewall will prevent so. But the room can talk to me because I'm connected with the room, and the room then forwards to me that token, acting as an intermediary. "Yo, there's someone here who wants to connect with you, they say they are your friend because they mentioned something about magiccodehere, does that ring a bell?". And then I'm like "oh yeah, sure! Let them in, what's their SSB ID? I'll friend them".

And then once I've followed that person, whenever they try to connect with me, my firewall will allow it. And by the way, at this point, I would have deleted magiccodehere so that it's no longer valid for anyone who tries to use it again. I would have to generate a new one.

Drafty sequence diagrams

Creating a tokenized alias

sequence diagram

Consuming a tokenized alias

sequence diagram

@Rabble %haqD4EJlZJdalWv/zbnwzR/M0yv1jjJA33AMl7O1FaQ=.sha256
Voted # Request For Feedback ## Tokenized Room Aliases #ssb-room #ssb-rooms #ss
@Matt Lorentz (planetary) %55QBHYHG8yxeZfd3lGzlHQ5wPW7VxW/3WJ4o0sIDxk8=.sha256
Voted # Request For Feedback ## Tokenized Room Aliases #ssb-room #ssb-rooms #ss
User has not chosen to be hosted publicly
@SoapDog (Macbook Air M1) %GBDVh64OjauhW3xgze/Dk22tj11OceyzbMgppUZalCI=.sha256

This kind of work and implementation is above my paygrade, but since opinions are kinda free, I'm gonna give mine.

I kinda think this doesn't solve the problem. Someone trying to harvest SSB data will simply attempt to brute force tokens, right? If you're stopping to present a dialog before allowing the new connection / friendship through, then why not do it without the token as well.

In the end, if a dialog is shown asking for perms, then I don't see the need for the token. If it is just so that you make sure the token that you sent is coming back to you, much like food delivery works here — you need to say a two digit number to the delivery person, you get this number from the app, this ties the delivery to you — then it is OK.

If the objective is just safety, you could have "ephemeral aliases" much like cryptocoin wallets can generate temp addresses. You can send a "one time use" alias to your friend, once it is accepted by your client, it stops working. Part of the initial exchange using these "one time use aliases" would involve sending the real alias to to your friend. Don't know, maybe I'm overthinking.

User has chosen not to be hosted publicly
User has not chosen to be hosted publicly
User has not chosen to be hosted publicly
User has not chosen to be hosted publicly
User has not chosen to be hosted publicly
@Anders %ZLnT2j05GdzsmoG08/fpVSdYTDQaSccQKgVeiRxUW/c=.sha256

This could be 2 types here right? One that would auto-follow similar to peer invites and another that allowed bypassing the firewall, maybe just for one session?

@andrestaltz %yws2ZfrY9T+N5Hwuud/PC3BF2ET3rZ1yuMtdoeQ3HtU=.sha256

@arj Yeah, that's possible. I think it's up to the client to follow or not

@zoo [planetary] %h8lBS9+6q7KWS19nhI1ji/amwOYSou534keJpkHTBoI=.sha256
Voted # Request For Feedback ## Tokenized Room Aliases #ssb-room #ssb-rooms #ss
Join Scuttlebutt now