Who Owns Your ATProto Identity? Hint: It's Probably Not You
3 hours ago
- #Bluesky
- #Decentralization
- #Cybersecurity
- The article discusses security risks in ATProto, focusing on how Personal Data Server (PDS) operators have control over user identities and signing keys.
- PDS operators hold signing keys that can impersonate users across all ATProto apps, posting, liking, and following as them with valid signatures.
- A compromised or malicious PDS operator can lock users out of their identities, affecting all ATProto applications, unlike traditional platforms with scoped impacts.
- The system centralizes trust in PDS operators for convenience, but this makes it brittle, as one operator's compromise exposes every account on it.
- Users can enroll self-controlled rotation keys to prevent being locked out, but it's not the default, and the article calls for changes like default enrollment and better user awareness.