this security issue can only be triggered by users fault, but it’s up to the UI designer to prevent user mistakes causing potential credential leaks.
The login page
The login page is designed to be as simple as possible. Only 1 page, no extra steps. It’ll validate whatever instance url you type in to ensure it’s actually a Lemmy instance.
The problem
If the user mistypes the instance url to a typo squatting instance, your credentials were just sent straight to them. Bad. For example, I could setup an instance named lemmu.world, and if someone accidentally mistypes lemmy.world as that, I get their credentials for free.
Potential solutions
I’m not sure which one would be best as they all have problems.
- Require you to type the instance before you can start typing your credentials.
- This complicates things and adds an extra step. This also wouldn’t completely solve the problem.
- Add an auto complete list
- This will work for popular instances as they’ll know that they have the wrong url because it disappeared from the auto complete. However, I’d need to keep this list updated and id prefer photon to have minimal external ties. This also wouldn’t work for small instances.
- Add typo checking
- This has the same problem as above as I’d need to keep common misspellings updated and I want photon to have minimal external ties.
Any ideas? For now, this isn’t a problem as long as you double check the instance you’re logging in with, and there’s no cases of this AFAIK.
- Require you to type the instance before you can start typing your credentials.
- This complicates things and adds an extra step. This also wouldn’t completely solve the problem.
First thought in a similar vein to this, have a pause for credential & instance review before passing them along?
E.g. Type everything in as-is, but instead of log in promptly sending anything, it displays all the information you just entered again with some simple message like, “Does everything here look correct?” and Yes/No or something of the sort.
It complicates things and adds a step as well, however I think it would do a better job of encouraging people to double-check for any typos than what you mention in what I’ve quoted above. Bonus of this idea is that it also keeps external ties to a minimum.
Tesseract works like your option 1: Require typing the instance before credentials, and they’re on separate pages (though they wouldn’t strictly have to be). It then populates the sidebar/banner from the instance entered. The impostor / typo-squatting instance would have to match the site details, logo, banner, and spoof the activity stats (though the user would be expected to check what’s displayed is correct for the instance they’re logging into).
I’d say you should have a list of pre approved instances and then give a little warning when an instance is not on the list.