A few thoughts on domain verification for social media


Both Mastodon and BlueSky have the concept of "self-verification". Rather than trust a central authority to assess your notability and then bless your account (as Twitter used to do), they let anyone self-attest using Domain Verification0.

What does that mean?

  • You tell the service what your website is.
  • The service gives you a secret code1.
  • You upload that secret code onto your website.
  • The service checks the secret code is on the website.
  • If it is, the service says your domain is verified.

On Mastodon, that gives you a green tick next to your link. On BlueSky, it gives you the ability to change your username to your website's name.

This is reasonably strong proof that you are the owner of that website. I don't have the ability to add the secret file I've been given to bbc.co.uk, so I cannot impersonate them.

But it isn't all sunshine and roses. There are some important issues with this process.

Revocation and Revalidation

Let's say an employee has validated alice.big_company.com - what happens when Alice leaves2?

Well, you just delete the secret code from your website, right?

In theory yes. But in practice, no.

From BlueSky:

We're working on adding the ability to revalidate these handles periodically.

And Mastodon:

Verified links are currently verified at each time the profile is updated, but they will only be verified once, when initially entered.

So, at the moment, there is a risk that revalidation isn't completed and revocation never happens3. Accounts which were once trusted may stay trusted, even when they're no longer trustworthy.

Copy Cat Domains

You're chatting with your credit card company's social media account. You see that they've verified the domain.

Wait?! Are they really mastercrrd.info ✅?

There are several practical attacks against humans trying to validate a domain name. A simple misspelling is easy to overlook. There are thousands of top level domains, and you may not be sure if your bank uses .com, .uk, .tech, or something else. It only costs a few quid for an attacker to buy a domain which contains a politician's name.

International domain names mean that homograph attacks are possible.

Humans aren't very clever

Recently, several prominent journalists on BlueSky embarrassed themselves by pronouncing fake accounts to be real. The journalists - with all their resources and contacts - didn't bother to actually verify if the person who registered @KemiBadenoch was really the Leader of the Opposition.

They could have checked her website to see if it linked to the new account. They could have rung up the Tory press office. They could have checked to see if she have verified her account. Or they could have done a dozen other things to verify the facts before posting. They didn't.

These aren't random users blindly reposting. These are highly educated, thoroughly trained fact-finders. Their mission is accuracy and their livelihood depends on being able to report the truth. And yet they just assumed that no one would lie on the Internet.

Would a journalist be able to spot that tailer-swift.fartotron.xyz was an impersonator? I highly doubt it4.

Hacks Happen

Even when Twitter was validating celebrities correctly, it didn't stop the accounts getting hacked.

An attacker might compromise your social media account or your domain name registrar.

Just because an account and domain appear verified, it doesn't mean they're legitimate. Is that politician you follow really posting about dietary supplements?

It might be too difficult for large organisation

I've written An Easy Guide To BlueSky Verification. It can be as simple as uploading a single file to your website. Although I have some sympathy for claims that managing the process for hundreds of employees might be difficult.

Based on my calculations around 5% of active BlueSky users have verified their domain.

The alternative isn't much better

Verification is hard. Can an over-worked verification team spot that I've photoshopped a passport so that it looks like someone else's?

There are hundred of famous people called John Williams - which one do you verify?

Also, what are you verifying? In my post on Rethinking Twitter Verification, I pointed out that the ambiguity of verification leads to some weird and non-obvious outcomes.

Final thoughts

There are no simple technological fixes to complex social issues.

But I'm naïve enough to believe that, with time, we can train people to be better at assessing the information they are given.


  1. It is a lot more complicated than that - as per this essay by Christine Lemmer-Webber↩︎

  2. Secret in the sense that they only generate it for you. It isn't private. Nothing bad will happen if other people see it. ↩︎

  3. Let's assume she's naughty and doesn't remove the validation herself from her profile. ↩︎

  4. It appears that it takes BlueSky around 2 hour to detect and revoke verification↩︎

  5. Prove me wrong. Seriously. So many journalists seem utterly credulous↩︎


Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

9 thoughts on “A few thoughts on domain verification for social media”

  1. @blog A key challenge with verification is that there is no consensus as to what is being verified.

    I can provide numerous ways to verify that my name is Brian Johnson, that does not mean I am a member of the rock band AC/DC.

    For-profit social media sites came up with the concept of verified accounts for selfish reasons - to attract famous people. But as the less famous wanted to be verified, and verification became a potential source of revenue, the qualifications got more and more hazy.

    | Reply to original comment on universeodon.com
  2. Chris Barts says:

    As far as journalists and their credulity goes, it isn't embarrassing if you suffer no negative consequences. In my less guarded moments, I suspect that being "wrong" about Bluesky could be tactical: "Look at how untrustworthy this site not owned by a business partner is" kind of thing.

    Reply
  3. says:

    I quite liked the Keybase method with cryptographically signed verification. I don't know of a standardised way to do that, but it would be harder to fake. It may not fix the issue of what happens when you leave a position unless the organisation can revoke your key. Identity is a hard problem and I've seen a few attempts at it.

    Reply
  4. said on mastodon.social:

    @Edent your Fediverse post/preview here says
    > [..] self-attest using Domain Verification0.

    Curious if that was something specific like ACME's DNS-01 challenge I've clicked and read your blog, but the "0" is just a numbered footnote 😅

    Another non-technical issue with domain validation is that it's easy to get wrong as a human, as you've said, and that e.g. Google is trying to remove URLs from their browser UI, so it is even less accessible to laymen for manual inspection. Search engine as DNS.

    Reply | Reply to original comment on mastodon.social
  5. said on mastodon.social:

    @knowprose @Edent even if you verify your own domains now, there's still issues around expiry.
    Forgot to renew and someone can often take it and associated accounts over via that dangling verification and they can continue to act in your name.

    Also as a user I want government or otherwise official accounts to be verified, which we get to with low friction/effort on their end, not by them or even me paying money.
    Enforcing verification at the platform probably has incentive issues.

    Reply | Reply to original comment on mastodon.social

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">