Hides the '.bsky.social' while also addressing impersonation and security issues

[igorcv88]

Addresses full handle handling to make the interface cleaner and more user friendly

Inspired by: @Caitano09 pull request #5117

[williamokano]

How would this would work for people who have custom domains as handle? For example, what if someone has, currently, the handle foo.bar.bsky.social. After the change, would it become "only" foo.bar?

What if someone else registered the domain foo.bar and changed his handle to it? It would say the same handle for different DID, looks weird to me, as it looks like a handle clash.

For me, having the domain in the handle makes sense in the context of a federated social network, in which handles can come from different PDS's.

[igorcv88]

How would this would work for people who have custom domains as handle? For example, what if someone has, currently, the handle foo.bar.bsky.social. After the change, would it become "only" foo.bar?

What if someone else registered the domain foo.bar and changed his handle to it? It would say the same handle for different DID, looks weird to me, as it looks like a handle clash.

For me, having the domain in the handle makes sense in the context of a federated social network, in which handles can come from different PDS's.

Yes, it would appear as foo.bar but if you go to the main profile and toggle full handle you'd see the entire thing. It only hides '.bsky.social' it won't hide any custom handle at all. When mentioning it checks for a valid top level domain and, if not recognized, it assumes '.bsky.social' as it is handling the mention.

[Vincentroland]

Expilct

[joncar]

I'm still of the general opinion that making a change like this is a dangerous idea. And here are some specific comments on the exact change too.

[joncar]

. is special in regex and matches anything. So this whole regex is, mostly, a match anything regex.

[joncar]

Why is there an @ being put in the middle of a handle?

[joncar]

Did an auto reformatter get used on the entire file? It is very hard to see what the actual differences are.

[joncar]

Is the intention of this to allow the richtext did attribute stored in the post record to have a partial handle in it? I don't understand why. This change should be purely cosmetic in the UI.

[williamokano]

Yes, it would appear as foo.bar but if you go to the main profile and toggle full handle you'd see the entire thing.

Seems like a bad idea for me. Having to go profile by profile to make sure it’s not an impersonation rather being able to check directly in the feed can make impersonation way easier as most people might not check that.

Just wanted to understand more, I ain’t bsky developer, so I have no veto nor any kind of power here.

Thanks for the explanation and best of luck in your PR.

Also, not sure if this was already discussed, but in big open source projects, might be a good idea to have an RFC or any discussion attached to your PR, as it can be discussed whether it fits the roadmap or if they are willing to accept changes, at least they won’t have to go through all PRs trying to understand what’s happening, why it’s happening, how it’s happening, pros and cons, and maybe some security issues.

[sunnasg]

Muitas pessoas querem essa mudança. Nem todos gostam desse bsky.com, eu muito menos. Sendo assim, admito que é uma boa sugestão.

[williamokano]

Muitas pessoas querem essa mudança. Nem todos gostam desse bsky.com, eu muito menos. Sendo assim, admito que é uma boa sugestão.

Do jeito que foi implementado é uma péssima solução. Se não fosse uma rede federada onde você pode ter vários servidores descentralizados e colocar outros domínios, eu até entenderia a mudança, mas ter essa parte, ou algum outro tipo de identificar, é essencial pra evitar personificar outras contas.

[cyyynthia]

While this certainly gives a more "twitter-esque" feel, I am strongly against it for multiple reasons:

• The impersonation risks with this are huge, as mentioned before. On the ATmosphere, use of your own domain name is the major way to verify identity. Hiding bsky.social makes it more difficult by default to identify accounts with a dedicated domain name or using Bluesky's hosted services (which are not easily verifiable).
• This gives special treatment to Bluesky. While it may be understandable in the context of the webapp, special treatments may put Bluesky-operated PDS at an unfair advantage compared to self-hosted which is not good for the ecosystem at large. All PDSes should be equally treated to keep the network fair for everyone.
• Corollary, a "Bluesky account" doesn't exist per se, as it is an identity on atproto. This identity can be used on any service built upon the protocol, even if it has no connection to Bluesky. Hiding bsky.social can lead to the identity looking different across services which isn't great.
• The existing ecosystem around Bluesky specifically will fail to recognize "simple @" and expects in most places the whole handle, with .bsky.social if you're not using your own domain.

I definitely understand the friction caused and why the change is wanted, but that's one of the aspects of a decentralised network. Atproto does an absolutely impressive job at reducing the friction usually introduced by such architectures, but the domain part is an essential part of the whole thing.