{"p":"","h":{"iv":"ROXSYW+cfvEbFHu5","at":"ocxplSQjdRC3tXEtB/9/wg=="}}

But also: this could be a mass harassment vector for journalists! Someone goes to trust.txt, scrapes every account there, and harasses them.

But I do think that once you say in an official capacity "I am affiliated with [org]", you have to assume that anyone can find that info and can and will scrape it even if there isn't a directory available. idk. tough design space

4
Share
Share on Mastodon
Share on Twitter
Share on Facebook
Share on Linkedin
blaine

@darius there's something interesting there. Thanks for sharing, filed in "folksprotocolonies" and labeled clearly "DO NOT ATTEMPT TO BIKESHED" 😅

1
2y
Malle Yeno 🦝

@darius I'm interested in this idea, could you elaborate on it?

- What stops a malicious actor from spoofing a trust.txt and using that as validation in a similar way to phishing? ("verified by 'nytines' dot com", etc.) Would sites needs a whitelist of valid trust.txt sources?

- On a related topic to the harassment vector point you had: how would you sell trust.txt to orgs that are interested in verification but do not normally want contact exposure for some personnel? (ex. directors and exec)

1
2y
alys

@darius i guess the advantage of an instance like journa.host (or even a nytimes-specific instance) is that they could be keep an eye out for attacks targeting newsrooms' entire trust.txt lists and possibly handle it faster or more efficiently.

on the other hand, that might also overwhelm the moderation capabilities of a particular instance.

0
2y
Jan Adriaenssens

@darius To verify accounts associated with a public website (like newspapers or broadcasters):

You could diminish the "harassment" aspect by having the "trust.txt" document actually be a list of *hashed* accounts.

So when you want to verify whether an account is associated with a website, you can check this one-way (without being able to scrape the full trust.txt).

1
2y
Replies