alt Hacker NewsShow HN: s@: decentralized social networking over static sites
Comments
A bit of an off-topic, but the social networking protocol should never be designed for the sake of the protocol itself, or it’ll not enjoy the networking effect. A protocol must offer direct benefits to users, so that they keep participating in the network. This participation is what eventually forms the network of people, a.k.a, society. I always pick BitTorrent as the most successful example of such networking protocol - people just wanted to download stuffs (e.g. movies and pxxxs) but ends up participating in the sharing network.
Personally, I think a possible angle of attack for a new practical social network protocol is data management, as the amount of data people generate, consume, store, and share is enormous these days. More like, manage data conveniently, and share them easily as a side-effect.
> The private key is stored in the browser’s localStorage.
Woah.. when will those people learn? _Any_ browser storage is unreliable. Anything goes wrong with your web experience? Clear browser settings. Make new profile. Re-install browser. The browser's localStorage is not a replacement for filesystem. It cannot be backed up, it is super volatile, and it should _never_ be used for anything important. It's one of those "worst of both world" cases, where malware can access it with no problem, while legitimate backup programs are locked out.
(And yes, the post mentions "new device" flow, but how many people would (1) remember to export their private key and (2) won't lose it with their device? I bet in practice people will use the network until the first time localStorage is lost, and then they will get annoyed that their feeds are lost forever, and will likely leave the network for good)
> By convention, the client looks under /satellite/ by default. If that path is already taken, place a satproto_root.json file at the domain root containing { "sat_root": "my-custom-repo" } — the client checks this first.
Would a `/.well-known/` be helpful here?
Long ago there was this thing called foaf https://en.wikipedia.org/wiki/FOAF and also https://en.wikipedia.org/wiki/Pingback ... it was the closest I've seen to completely decentralised social media.
I wish I could share a graph of my eyebrow height over time as I read through this part:
> sAT Protocol (s@) is a decentralized social networking protocol based on static sites. Each user owns a static website storing all their data in encrypted JSON stores.
Glad to see more of these efforts. But here's what it will really take to decentralize social media and E2EE messengers:
We need something like Discord, except each server is an actual self-hosted server like a Minecraft server. DMs between two users should be handled by a mutual server. Account credentials should be handled by a Nostr-like protocol, which also gives you global tweeting capabilities as a bonus.
Run the whole thing on Yggdrasil Network or something similar so that it's not tied down to IPv4v6 and DNS and all existing hardware infra, but can still take advantage of them. And add reciprocal inter-server onion routing to make it difficult to geolocate servers. Also take a page from SoftEther VPN's book and wrap all traffic in HTTPS and perform automatic NAT traversal, so that people can host servers from behind ISP firewalls.
Anything short of that and we lose to big tech and govs in the long run. But once we've achieved the above, the decentralized web can truly take off: we will get WiFi routers running open-source firmware to make a mesh network to act as alternative physical layer infra for the new web. We can still take advantage of the existing Internet's bandwidth as long as there's an unblockable path to send a little bit of data to discover and coordinate nodes.
It would be nice to start with what this actually is from the user’s point of view.
Forking, paths, JSON, decentralized, encryption, key rotation, etc and I still have no idea why I would bother and who else could use it (a decentralized social network is only so much fun if you are the only one on it).
Very interesting idea, love the simplicity.
Question about this:
“Threads are positioned in the timeline by the original post’s created_at; replies within a thread are sorted by their own created_at ascending.”
Does this mean, I, as the person replying to the post can manipulate my reply time to say, 3 minutes before person X’s reply?
If so, I can imagine a few adversarial ways of (ab)using this.
I understand this is more for friend groups, just curious if my understanding is correct.
This obviously needs some iteration on the protocol design as other commenters have mentioned, but I'd still be up for partnering up over here at https://anproto.com/
Funny to see people mention nostr
https://satellite.earth/ (Satellite nostr client)
https://nsite.run/ (literally static sites on nostr)
I think: A new way of old school forum would bring real UGC rel="ugc" that brings value to human and agentic readers.
Let's crash the fediverse! https://wire.wise-relations.com/
OctoTown: https://octotown.github.io/
Signed JSON reminds me of Nostr. I wish Nostr was somehow more mainstream.
Amazing. I'm building almost the exact same thing. I'll share mine when it's mature enough. :D
Seems like a missed opportunity to not put a /satellite/satproto.json file on that site.
have you considered Replace X25519 with a post quantum cryptography key encapsulation mechanism like kyber or saber?
This needs a YouTube demo video.
Just use RSS at that point. I don't see the value of encrypting everything, like people are gonna be spying on your random static blog entries.
The client fetches the pub key off the server which is decentralized? There's no part in the protocol that authenticates whether or not a pub key is legit. If its replaced by an attacker and someone subsequently goes to fetch a key they can read those messages. I mean, pub key infrastructure is meant to solve that. With SSL and such... that's why you its a federated chain of certificates with providers vouching that names = pub keys.
This is a very common problem. There is potential to possibly make this more decentralized with smart card technology. Like imagine a smart phone with access to pub keys in the hardware tied to an account cryptographically. Then you can say something like phone number = subscriber = pub key. Encrypted messaging apps seem to bootstrap off of ownership for numbers in the mobile system (mobile system security is very bad so there are dragons here.) The other apps like pidgin with OTR plugins they have unique phrases that help with the issue.
When you start looking at decentralized pub key infrastructure tied to human-meaningful names you start to run into zookos triangle:
https://en.wikipedia.org/wiki/Zooko%27s_triangle
human-meaningful, decentralized, secure -- pick two
satproto's implementation involves complex cryptographic signing and that makes it very not static. One needs to run a program of some sort to use satproto. The only static part is that the json that's operated upon.
This is not true of indieweb's web mention: https://indieweb.org/Webmention
It just uses HTTP POST (like pingback/trackback/etc, except it has a second step verifying the page sending the webmention actually has a link to a URL on the website). You can them them with a browser or cURL or some complex backend script. Receiving them is as easy as logging POSTs to a specific URL endpoint or even using someone else's community backend your site interfaces with via javascript (ie, https://webmention.io/ - not static since it uses JS). Or anything in between.
Totally decentralized and very simple. I implemented a simple nginx POST logging format in the config to receive on my static site. And HTML forms on my static site can send. http://superkuh.com/blog/2019-12-11-3.html
[dead]
This suffers from the same problem that so so so many alternative social, federated, self-hosted ideas suffer from. Matrix, keybase, pgp, etc.
It’s too dependant on encryption. Yes, it’s a cool technical feat that stuff can be in the open but also private - but:
1. I want to be able to follow my freinds if my phone dies and i have to get a new one.
2. I am very technical, and idk exactly what a X25519 keypair is.
I would like for people to come up with more stuff like this that is designed for small communities but not for very secure communication. Like I want something where it’s secured by a username and password, that i give to a server i am registered with - and that server handles the encryption business. If the server rotates keys, that’s for the admin to figure out and exchange keys with sibling servers.
Idk I’m just making up specifics but this is the kind of ethos i think is needed to make things that can be successful with non-technical people in a way that can unseat big tech.
In case i sound too critical - this is cool. It just isn’t something i can use with family and friends to replace facebook or even email.