57 comments

[ 3.4 ms ] story [ 68.2 ms ] thread
satproto's implementation involves complex cryptographic signing and that makes it very not static. One needs to run a program of some sort to use satproto. The only static part is that the json that's operated upon.

This is not true of indieweb's web mention: https://indieweb.org/Webmention

It just uses HTTP POST (like pingback/trackback/etc, except it has a second step verifying the page sending the webmention actually has a link to a URL on the website). You can them them with a browser or cURL or some complex backend script. Receiving them is as easy as logging POSTs to a specific URL endpoint or even using someone else's community backend your site interfaces with via javascript (ie, https://webmention.io/ - not static since it uses JS). Or anything in between.

Totally decentralized and very simple. I implemented a simple nginx POST logging format in the config to receive on my static site. And HTML forms on my static site can send. http://superkuh.com/blog/2019-12-11-3.html

I wish I could share a graph of my eyebrow height over time as I read through this part:

> sAT Protocol (s@) is a decentralized social networking protocol based on static sites. Each user owns a static website storing all their data in encrypted JSON stores.

Signed JSON reminds me of Nostr. I wish Nostr was somehow more mainstream.
Seems like a missed opportunity to not put a /satellite/satproto.json file on that site.
This obviously needs some iteration on the protocol design as other commenters have mentioned, but I'd still be up for partnering up over here at https://anproto.com/
> By convention, the client looks under /satellite/ by default. If that path is already taken, place a satproto_root.json file at the domain root containing { "sat_root": "my-custom-repo" } — the client checks this first.

Would a `/.well-known/` be helpful here?

https://en.wikipedia.org/wiki/Well-known_URI

No. That is for the host/domain entirely not a specific stream.

I might want several directories in the future, and even if I don't, I might want it separate from my .well-known robots.txt. Many, many reasons I can think of not to blend these.

Bad idea.

Amazing. I'm building almost the exact same thing. I'll share mine when it's mature enough. :D
This suffers from the same problem that so so so many alternative social, federated, self-hosted ideas suffer from. Matrix, keybase, pgp, etc.

It’s too dependant on encryption. Yes, it’s a cool technical feat that stuff can be in the open but also private - but:

1. I want to be able to follow my freinds if my phone dies and i have to get a new one.

2. I am very technical, and idk exactly what a X25519 keypair is.

I would like for people to come up with more stuff like this that is designed for small communities but not for very secure communication. Like I want something where it’s secured by a username and password, that i give to a server i am registered with - and that server handles the encryption business. If the server rotates keys, that’s for the admin to figure out and exchange keys with sibling servers.

Idk I’m just making up specifics but this is the kind of ethos i think is needed to make things that can be successful with non-technical people in a way that can unseat big tech.

In case i sound too critical - this is cool. It just isn’t something i can use with family and friends to replace facebook or even email.

In the FAQ at the bottom of the post, the author mentions that this proposal is just the AT protocol (BlueSky) without the active, "firehose" component.

I don't think this is a real proposal, but more a thought experiment about how a static site could integrate into BlueSky. I saw a few similar efforts to integrate the "passive" components of ActivityPub into static site generators so that you could make your static blog consumable via the Fediverse.

In reality, if you really wanted to publish your static site blog posts on BlueSky, this is probably a good place to start! As you mention, there are some serious usability issues with doing everything by hand, but you may find that acceptable or invest in workarounds. Maybe it's possible to use your BlueSky identity so that you aren't in the business of managing keys. Or maybe you could use a script or static site generator plugin to pull credentials from somewhere.

"1. I am very technical"

What does this mean

https://ianix.com/pub/x25519-deployment.html

For example, does "technical" mean curious, enjoys learning, motivated to take things apart to understand them, ...

Does it mean likes to create accounts, signs up for websites, apps, etc., heavy social media user, terminally online,...

What does it mean

> The private key is stored in the browser’s localStorage.

Woah.. when will those people learn? _Any_ browser storage is unreliable. Anything goes wrong with your web experience? Clear browser settings. Make new profile. Re-install browser. The browser's localStorage is not a replacement for filesystem. It cannot be backed up, it is super volatile, and it should _never_ be used for anything important. It's one of those "worst of both world" cases, where malware can access it with no problem, while legitimate backup programs are locked out.

(And yes, the post mentions "new device" flow, but how many people would (1) remember to export their private key and (2) won't lose it with their device? I bet in practice people will use the network until the first time localStorage is lost, and then they will get annoyed that their feeds are lost forever, and will likely leave the network for good)

Very interesting idea, love the simplicity.

Question about this:

“Threads are positioned in the timeline by the original post’s created_at; replies within a thread are sorted by their own created_at ascending.”

Does this mean, I, as the person replying to the post can manipulate my reply time to say, 3 minutes before person X’s reply?

If so, I can imagine a few adversarial ways of (ab)using this.

I understand this is more for friend groups, just curious if my understanding is correct.

have you considered Replace X25519 with a post quantum cryptography key encapsulation mechanism like kyber or saber?
The client fetches the pub key off the server which is decentralized? There's no part in the protocol that authenticates whether or not a pub key is legit. If its replaced by an attacker and someone subsequently goes to fetch a key they can read those messages. I mean, pub key infrastructure is meant to solve that. With SSL and such... that's why you its a federated chain of certificates with providers vouching that names = pub keys.

This is a very common problem. There is potential to possibly make this more decentralized with smart card technology. Like imagine a smart phone with access to pub keys in the hardware tied to an account cryptographically. Then you can say something like phone number = subscriber = pub key. Encrypted messaging apps seem to bootstrap off of ownership for numbers in the mobile system (mobile system security is very bad so there are dragons here.) The other apps like pidgin with OTR plugins they have unique phrases that help with the issue.

When you start looking at decentralized pub key infrastructure tied to human-meaningful names you start to run into zookos triangle:

https://en.wikipedia.org/wiki/Zooko%27s_triangle

human-meaningful, decentralized, secure -- pick two

Just use RSS at that point. I don't see the value of encrypting everything, like people are gonna be spying on your random static blog entries.
Glad to see more of these efforts. But here's what it will really take to decentralize social media and E2EE messengers:

We need something like Discord, except each server is an actual self-hosted server like a Minecraft server. DMs between two users should be handled by a mutual server. Account credentials should be handled by a Nostr-like protocol, which also gives you global tweeting capabilities as a bonus.

Run the whole thing on Yggdrasil Network or something similar so that it's not tied down to IPv4v6 and DNS and all existing hardware infra, but can still take advantage of them. And add reciprocal inter-server onion routing to make it difficult to geolocate servers. Also take a page from SoftEther VPN's book and wrap all traffic in HTTPS and perform automatic NAT traversal, so that people can host servers from behind ISP firewalls.

Anything short of that and we lose to big tech and govs in the long run. But once we've achieved the above, the decentralized web can truly take off: we will get WiFi routers running open-source firmware to make a mesh network to act as alternative physical layer infra for the new web. We can still take advantage of the existing Internet's bandwidth as long as there's an unblockable path to send a little bit of data to discover and coordinate nodes.

just found this curated list of self-hosted discord alternatives.

https://github.com/Vigno04/discord-selfhosted-alternatives

unfortunately though i think self-hosting is one of the problems. one of the features of discord is how easy it is to create your own server.

from that list i am checking out commet now, which seems to promise a better experience on top of matrix. that would at least solve the self-hosting issue, as i'll be able to use it on any existing matrix server. matrix has the technical features needed to work like discord, but not the interface.

It would be nice to start with what this actually is from the user’s point of view.

Forking, paths, JSON, decentralized, encryption, key rotation, etc and I still have no idea why I would bother and who else could use it (a decentralized social network is only so much fun if you are the only one on it).