I don't see how. This is a direct link to the author's bluesky server (PDS) so of course it is controlled by them.
The link in question (linked from the the sumbitted link) is `porcini.us-east.host.bsky.network`. That's hosted by bsky, isn't it?
Lack of moderation combined with an offical-sounding domain name.
This would have to get the user to follow a link or call a phone number or something though. These are plausible. It's too bad the content-security-policy can't prevent following links.
Bluesky seems to use a lot of totally different domain names for each part of their infrastructure, maybe for this reason. e.g. this one is bsky.network
While they're nowhere close on volume, they're certainly beating microsoft in terms of the rate they're adding similar looking official URLs.
> bsky.network
Shortening your brand to 4 letters when your chosen TLD is the same length as your full brand name is such a weird choice.
I think the linked blogpost is the first time I've seen that URL used anywhere user-facing. (other than the status page) bsky.<TLD> is already used for other user-facing URLs though.
I guess bsky.net and bluesky.net were taken. What’s weird is why ICANN allowed .network TLD at all when .net already existed, was shorter, and meant for that.
I can't be the only person who visited bluesky.com, assuming that was the thing everyone was talking about.
I mean, the way AT Proto is designed, moderation primarily happens on the app layer, not the protocol layer. So on an app like Bluesky, you can have a lot of moderation. But the protocol itself allows hosting arbitrary content in a distributed/decentralized way.
Phish could be this:
$inane_marketing_trope
...
Click here to Unsubscribe from Bluesky
https://porcini.us-east.host.bsky.network/xrpc/com.atproto.s...
...
Redirects to bad site.
As long as content is authored by the administrator of the server, I don't see where there is a security issue.
It's like if you point to your own Apache server in your own domain where you host a scam page and say there's a security issue with Apache because you could do that.
Or are you saying that you can make this person's server serve third-party content?
> Or are you saying that you can make this person's server serve third-party content?
Http: yes see OP
Email: not sure. Hopefully not. But spoofing happens.