A new form of verification on Bluesky

4/21/2025 at 7:43:25 PM

I got verified in the initial round of verification.

On a technical level, this sort of works like a Root CA: anyone can verify anyone by publishing a `app.bsky.graph.verification` record to their PDS. Bluesky then chooses to turn those from trusted accounts into the blue check, similar to browsers bundling root CAs into the browser.

* https://pdsls.dev/at://did:plc:z72i7hdynmk6r22z27h6tvur/app.... <- bluesky verifying me. it's coming from at://bsky.app, and therefore, blue check

* https://pdsls.dev/at://did:plc:3danwc67lo7obz2fmdg6jxcr/app.... <- me verifiying people I know. it's coming from at://steveklabnik.com, and therefore, no blue check.

I am not 100% sure how I feel about this feature overall, but it is something that a lot of users are clamoring for, and I'm glad it's at least "on-protcol" instead of tacked on the side somehow. We'll see how it goes.

by steveklabnik

4/21/2025 at 9:33:05 PM

Initially I just thought they verified people working at Bluesky, which made enough sense, but this initial batch seeming so arbitrarily decided isn't a good look. It feels all too similar to the "I know someone at Twitter" verification in the SF tech community.

by joshuaturner

4/21/2025 at 9:41:28 PM

Unfortunately that’s how I’m beginning to see this too, a sign of old school nepotism and struggle to regain lost status. We’ve seen how this unfolded for Twitter.

by FlyingSnake

4/21/2025 at 11:27:16 PM

How did that unfold on Twitter? I thought they did it better than anybody before the takeover but maybe I’m missing something.

by LastTrain

4/22/2025 at 8:36:03 AM

Even before the takeover accounts could be "unverified", which makes a mockery of the concept of verification.

Verification should always have been "This is who they say they are", not an endorsement.

The "algorithm" boosting tweets from verified accounts also showed it was an endorsement rather than verification.

When people lost verification for being distasteful, it reinforced the blue checkmark as being an endorsement.

The takeover sold-out the "value" build up from blue checkmarks by just straight up selling them. It explicitly made the platform "Pay for reach".

by xnorswap

4/22/2025 at 2:05:28 PM

Even before the takeover accounts could be "unverified", which makes a mockery of the concept of verification.

Why? Accounts can be sold/hacked, and there is a lot of that on social media. A verified account may even be a higher value target for some of the reasons you're bringing up, like algorithm boosts, verifications being considered an endorsement. In either case, unverification not only makes sense, but should be expected.

by dfxm12

4/22/2025 at 2:12:13 PM

I knew a pedant would get me on that.

I'm talking about people, who are still verifiably the same people, becoming unverified.

Yes, where accounts have changed hands, or changed identity, they should be unverified.

That's actually one of the cases where twitter did not un-verify. Accounts "earned" the blue-check then changed identity to something else, appearing "verified" as that new identity.

by xnorswap

4/22/2025 at 2:21:41 PM

If that's what you were talking about, you should have said that. Accounts are not people. This is not pedantry (and calling me names doesn't prove anything, either).

by dfxm12

4/22/2025 at 2:25:48 PM

I did say that, it's the very next line:

> Verification should always have been "This is who they say they are", not an endorsement

by xnorswap

4/22/2025 at 2:29:28 PM

Both syntax and context only support the "they" here to refer to "accounts" as used in your previous sentence.

by dfxm12

4/22/2025 at 3:03:37 PM

If I’m able to register a company with a name that matches your username, should I be able to get a verified account with the handle “real_xnorswap”?

Such things could be ripe for abuse. Although to be fair a social media platform might be able to push some of the blame onto the corporate registries.

by spacebanana7

4/22/2025 at 3:29:35 PM

If you're not claiming to be me, then I can't see why you shouldn't be able to use the name xnorswap, especially if that's your company name. I don't own the name, and if you have your own presence under that name, I can't see the issue.

Even trademarks only cover a company's particular domain. See the long history of Apple Corps vs Apple Computers

https://en.wikipedia.org/wiki/Apple_Corps_v_Apple_Computer

In my view this is how verification ought to work:

- A user writes a bio / about field

- A trust provider verifies that bio is factual

- Any change to that bio will cause their bio to become unverified until it can be re-verified. ( The bio change can be held back until verification can complete. )

- An appeals process exists

How "trust providers" are established without leading to excess centralisation is a difficult problem. This is especially true given that like moderation, it's an expensive thing to do.

There is the possibility of trust-chains such as the way Lobsters works, but there's a exposed to the masses I suspect that people just mass-verify everything without any checking.

In reality you'd be left with one or two central pillars that people trust, and everything else which people don't.

There's also the danger that too much verification leaves new users in the cold. If 90% of genuine users are "verified", then a brand new user doesn't have much chance of making it through filters to become known enough to hope for verification, and will find themselves ignored and effectively locked out. ( This is already the case for some platforms where you're effectively required to give your phone number else end up in the "probably a bot" pile and de-facto shadow-banned. )

by xnorswap

4/22/2025 at 12:52:37 PM

There's a pretty good retrospective written up on this blog[0].

In short: originally the purpose was nothing more "this account belongs to the person they claim to be and we've directly verified this with them". Unfortunately, people habitually misinterpreted the checkmark as not just being verification but also a tacit endorsement of the account by Twitter the company. Which isn't great when you get a high profile controversial event and it's lead organizer has a verified Twitter account.

After that, they appended an "in good standing" qualifier, and it quickly devolved into a "you know a person who knows a person who knows a person" situation since they also announced a public pause of the program. (Notably, the ID check, while it existed, was pretty much abandoned. Twitter at some point began demanding ID scans to report things to their support, but that obviously never actually translated to a blue check.)

Musk's version of it is hilariously simplistic, but also robs it of any and all value: just pay money for it and you'll get it. It works in the sense that it confirms the poster has a bank account (although this probably doesn't confirm much in and of itself), but any and all value of said verification is minimal because any old hack/scammer can do that.

Verification is a difficult system to get right and people have all sorts of pre-baked in ideas on how it should work versus how it actually works and the use of a checkmark played a part into how Twitters version was perceived over the years. (As well as Twitters own unreliability in being consistent about what it means.)

[0]: https://blog.giovanh.com/blog/2022/11/01/the-failure-of-acco...

by noirscape

4/22/2025 at 3:49:41 PM

It does prevent one from creating thousands such accounts per minute.

by 6510

4/22/2025 at 1:10:01 PM

Huge swathe of accounts who got in early and had friends at Twitter got verified and had priority standing in algorithms and moderator reports just based on that not on the merit of their posts.

Oh you could also pay Twitter employees $20K under the table to be verified too.

by whywhywhywhy

4/22/2025 at 8:05:38 AM

It started well with good intentions and the initial rollout solved the problem. It then turned into a status symbol and hidden caste system. When Elon took over and turned it into a game, all cred was lost.

by FlyingSnake

4/22/2025 at 8:28:55 AM

It was a "hidden caste system" with no real consequences for people's interaction with the platform. I have approximately zero sympathy with the "anti-bluecheck" resentments that Musk tapped into.

by azernik

4/22/2025 at 12:31:38 PM

When Elon took over; the rules were clearly laid out: buy your checkmark for $7/month (not sure of the price). Pay and you get it; stop paying and you loose it. Everybody knows exactly what it means.

Before that it was: "Someone will give you the checkmark if they like what you say enough and/or if you are deemed 'popular enough' according to an obscure committee; likely a combination of both. But there is a certain threshold above which it does not matter what you way, and you will always be verified". You could loose your checkmark on the whim of some dude who got his latte order wrong in the morning. No one was ever given the rulebook. In fact there was no rulebook. Checkmark just meant "I went to a bar with a Twitter employee and we agreed on a lot of things".

The same thing will happen to Bluesky. The system is akin to how CA and SSL does work with a critical difference. To get an SSL certificate, there is a clear step-by-step guide on how to get it. And after it has been granted it isn't revoked regardless of wether DigiCert agrees with the content of your website.

by IMTDb

4/22/2025 at 1:16:23 PM

>When Elon took over; the rules were clearly laid out: buy your checkmark for $7/month (not sure of the price). Pay and you get it; stop paying and you loose it. Everybody knows exactly what it means.

except then he was also randomly giving out checkmarks to people who didn't want them and specifically told him to remove them

by notwhereyouare

4/22/2025 at 12:16:04 AM

Do you have a better proposal for preventing spam and scam accounts from impersonating users that a lot of people pay attention to?

by idiotsecant

4/22/2025 at 10:53:02 AM

In my humble opinion: The basic premise is itself is wrong. Why should BlueSky (or X or Mastodon) should be the sole arbitrator of truth? Who are these prophets that we need to preserve the sanctity of their messages?

If I want to hear what a journalist has to say, I would go to their official website like NYT or Tagesspeigel and read it there. Should we be interested in what Kim Sang yun or Sebastian Mustermann has said few minutes ago?

The problem of spam and impersonation goes way beyond Blue Checks.

by FlyingSnake

4/22/2025 at 1:07:56 PM

Are you saying that the problems of spam and impersonation are so insurmountable that there’s no point trying to mitigate them?

by brookst

4/22/2025 at 2:59:52 PM

They definitely did not say that and what is this constant need for people on the internet to respond to someone saying "maybe this isn't the right way to do something" with "Oh well then you're saying that something can't be done at all and it's pointless and why even try!!!11"

by pc86

4/24/2025 at 4:41:08 AM

This is some grade A navelgazing. This is an actual, real, practical problem that decreases the signal to noise ratio in these communities. Spammers pretend to be popular people and use it to scam, steal, and otherwise take advantage of people. It's a good thing to reduce that and makes the service better for everyone.

by idiotsecant

4/22/2025 at 1:52:15 PM

In this case, they aren't the sole arbiter. They do happen to be the one that their client is advertising, but they can add others.

You are borderline arguing that information is bad (because that's all a verification is).

by maxerickson

4/22/2025 at 4:38:20 PM

> You are borderline arguing that information is bad

Your words not mine.

I questioned why sites like X or BlueSky or Reddit can be sole in charge of who is "verified" and Real™. We can listen to what the Journalists, UN officials etc have to say on their own media websites, right?

Too much news is bad for us anyway [1]

[1]: https://news.ycombinator.com/item?id=5549054

by FlyingSnake

4/22/2025 at 2:58:43 PM

Why should BlueSky (or X or Mastodon) should be the sole arbitrator of truth?

Are they the sole arbitrator if they simply use a DNS record?

That's the same tech used to verify their official website.

by k__

4/21/2025 at 9:43:57 PM

Some employees aren't even verified!

I hear you. I haven't investigated every account that got the badge, but it feels to me like they picked people who are both technical and engaged with the protocol, so not entirely arbitrary. That naturally will have some correlation with "I know someone at bsky". I know I've seen accounts that I think are cooler than I am who didn't get verified yet! I'm sure they'll be expanding soon, which will dilute this sort of association.

by steveklabnik

4/21/2025 at 10:20:18 PM

I can empathize with their position; I know this is something the community, especially the newer users coming from the continued rapid degradation of Twitter, are asking for.

The concept of verification and Bluesky's original mission of decentralization are two very at-odds concepts, and I think they've bridged that pretty well and left a lot of options for themselves to expand it in the future. I'm just worried about the very visible parallels to the Twitter ecosystem emerging.

My opinions on this will change if I join the verified elite, in case any bsky employees are in the thread.

by joshuaturner

4/21/2025 at 11:36:28 PM

> The concept of verification and Bluesky's original mission of decentralization are two very at-odds concepts,

Not necessarily. Consider the PGP Web-of-Trust model. Centralization of trust is choice, nothing inherent in verification as such.

by 3np

4/22/2025 at 11:49:54 AM

An imperfect system is still better than nothing. Look what happened to Twitter with the removal of its verification (before feckless Musk had driven it fully into the ground).

by vehemenz

4/21/2025 at 9:21:44 PM

It seems to me this feature would be much better if users could subscribe to verifiers the way they can labelers, perhaps with the official verifier subscribed by default. The current implementation feels centralized in a way that conflicts with BlueSky's stated goals.

by Zak

4/21/2025 at 9:39:07 PM

I'd agree that would be nice, but at least they can change into that in the future if they want.

Hilariously, it's kind of less centralized than I expected: there's no "Bluesky is the web of the root of trust" here, only "Bluesky chooses which records convert to UI" which leaves the whole system open for others.

by steveklabnik

4/22/2025 at 1:48:32 PM

After further consideration, I think the entire idea is a mistake. Labelers already provide a way for anyone to assert things about an account, which could include "@bsky.app says this account belongs to a famous person".

It would be better to lean into BlueSky's feature set than to mimic Twitter.

by Zak

4/22/2025 at 3:08:54 PM

Labelers have different semantics, I agree that you could do it that way, but there's also good arguments that that's not the right use-case. Changing my personal information won't invalidate labels, for example.

by steveklabnik

4/22/2025 at 3:39:21 PM

They do have different semantics, but the more I think about it, the more I think that's better.

The blue check on your account doesn't tell me what about the account has been verified. It probably means you're the Steve Klabnik that shows up a bunch of places in a web search, but that would mean much less if someone else also had that name and a web presence.

Your verified domain name tells me much more, but I recognize that's not the right verification approach for everyone. What I think would be more meaningful is labels like "@rust-lang.org says @steveklabnik.com is a Rust core developer" or perhaps a label with some metadata given special treatment in the UI showing mutual affiliation, e.g. "@rust-lang.org and @steveklabnik.com say they're affiliated with each other".

Edit - a further refinement: instead of verificatiions, allow accounts to feature labels placed on them by others for special treatment in the UI.

by Zak

4/22/2025 at 4:10:00 PM

That’s how this feature works. If you click on the blue check, it even shows which account did the verification.

It’s true that it’s not generally exposed yet. We’ll see if they do. I think that would be neat but I also am unsure if that’s what non-power users truly want.

by steveklabnik

4/22/2025 at 4:25:05 PM

It's close, but it falls short on two points: verification doesn't tell me what the verifier is asserting about the account, and the current implementation doesn't embrace decentralization, at least in the UI.

by Zak

4/22/2025 at 4:36:40 PM

Yeah, the first is true, it only asserts that there is a "relationship" between the accounts.

The second, yeah, it's that the UI doesn't expose it. But the underlying APIs exist.

by steveklabnik

4/21/2025 at 11:33:57 PM

It's great for preventing notable accounts from being impersonated, I spend a lot of time on Bluesky and impersonation of notable accounts has been a real pain, verification largely solves this problem and I'm very happy about it.

by 0x0boo

4/21/2025 at 9:06:56 PM

I wish it'd work like labelers and other moderation features: with users able to choose which verifiers to use. I trust the NYT as far as I can throw them when it comes to verification, for example, whereas I'd be interested in something flagging Bluesky employees or contributors to a given GitHub repository or whatever other bizarre things people would use this for like they already use labels.

by yellowapple

4/22/2025 at 12:16:33 AM

> I trust the NYT as far as I can throw them when it comes to verification

You don't trust the NYT to verify its own reporters?

Also, why do you say that in any circumstance? Who do you trust?

by mmooss

4/26/2025 at 7:43:17 AM

> You don't trust the NYT to verify its own reporters?

What happens when those individuals stop being NYT reporters? Does @nytimes.com leave them verified? Or does that account yank the verification? And who's to say @nytimes.com is only verifying NYT reporters?

> Also, why do you say that in any circumstance? Who do you trust?

People I've met in person, for one. Bluesky has an opportunity to make the old-school web-of-trust idea mainstream, with UI around "Is this someone you've met face-to-face?" and then extending that with multiple levels of checkmarks based on how many degrees of separation exist between a given user's verified personhood and your own.

Organizations actually accountable to the general public, for another. Not some corporation, even if it's a publicly-traded one like the NYT. This is the exact sort of thing that government agencies could be implementing independently as a service to their residents (like I mentioned elsewhere). Or private-sector non-profits; Associated Press would be much more trustworthy than the NYT by that virtue alone, and yet @apnews.com ain't even verified at all, let alone given the magic "trusted verifier" powers. Why?

Barring that, I trust nobody. A blue checkmark doesn't convince me someone's "real". It just convinces me someone got a blue checkmark. I'd rather see that checkmark actually mean something that I can independently verify. Keybase had the right idea there, with the ability to add proofs to your various online accounts to assert "yes, these belong to the same person"; that would be something worthy of some checkmarks. I'd be thrilled to see little icons for "yes, there's a bidirectional connection between @foo.bsky.social and github.com/foo / reddit.com/u/foo / news.ycombinator.com/user?id=foo / etc.".

by yellowapple

4/22/2025 at 8:54:22 AM

How should you verify that they only verify their own reporters?

by immibis

4/22/2025 at 2:08:04 PM

If they really wanted to verify a non-reporter as a reporter, they could give someone a salary of $1/year and then they would actually be a "reporter".

by yifanl

4/21/2025 at 9:38:07 PM

What's good is that the technical design here allows them to pivot into that if they choose, and alternative clients can already do that if they wish.

by steveklabnik

4/22/2025 at 6:43:59 PM

The NYT account on Bluesky does nothing besides make automated posts linking to their own articles. Why would account verification even matter in that case? It is in effect just a spambot. It posts links and doesn't engage with responses.

by rchaud

4/22/2025 at 1:26:08 AM

What's your concern with the NYT? Do you think they are incompetent and might verify people who are not who they say they are, or do you think that they are malicious and will deliberately verify bad actors, or something else?

by simonw

4/22/2025 at 2:10:05 PM

Bluesky could always revoke NYT or any other 3rd party verification site if they abused it. The bsky community would identify bad verifications very quickly.

by ChicagoDave

4/21/2025 at 11:49:44 PM

[dead]

by pinoy420

4/22/2025 at 4:28:38 AM

In the core team's clients, if the 'verified' account changes its display-name and/or handle, does the blue check stay, disappear, or do some secret third thing?

by gojomo

4/22/2025 at 3:09:16 PM

I haven't tested it, but with my understanding, it should disappear.

by steveklabnik

4/21/2025 at 9:22:54 PM

Do you have any insight on how was this initial batch of verified users selected?

I’m on Bsky as well but haven’t seen any such updates.

by throwaway642012

4/21/2025 at 9:41:37 PM

I have no real insight. I do know that I am a big fan of Bluesky/atproto and post about it fairly regularly, and enjoy being friendly with the devs. They verified just over 200 accounts, and most of them are news organizations and their employees, and the rest are programmers who regularly use the site and/or engage with the protocol.

I think this makes sense, because 1. most people want this sort of feature for news and 2. the kinds of people they verified technically are likely to play around with it and see how sound it is, which is who I'd want to be kicking the tires.

I'm not sure when they'll verify more people, but this is only the beginning, for sure.

by steveklabnik

4/21/2025 at 5:05:45 PM

> Bluesky’s moderation team reviews each verification to ensure authenticity.

How is this compatible with Bluesky's internal cultural vision of "The company is a future adversary"[1][2][3]? With Twitter, we've seen what happens with the bluecheck feature when there's a corporate power struggle.

[1]: https://news.ycombinator.com/item?id=35012757 [2]: https://bsky.app/profile/pfrazee.com/post/3jypidwokmu2m [3]: https://www.newyorker.com/magazine/2025/04/14/blueskys-quest...

by greyface-

4/21/2025 at 5:12:20 PM

I don't see how it's incompatible.

The problem with Twitter (before the whole blue check system was gutted into meaninglessness) was that not enough verification badges were handed out. It's not exactly a dangerous situation.

Bluesky's idea of verified orgs granting verification badges to its own org members would be an example of a much more robust and hands off system than what Twitter had.

The dangerous scenario is what happened to Twitter after the Elon takeover: verification becomes meaningless overnight while users still give the same gravity to verification badges which causes a huge impersonation problem. But that possibility is not a reason to have zero verification.

by hombre_fatal

4/21/2025 at 7:07:27 PM

The problem I had with twitter was the check was supposed to mean one thing and one thing only: that the person was who he or she claimed to be.

What twitter starting doing was removing blue checks from people who were causing problems for the platform (but not behaving bad enough to kick off). This made no sense because people still needed to know if a person was who he claimed to be (e.g., Milo Yiannopoulos) even if the person was controversial or problematic or just plain nasty.

Blue Checks weren't "gutted". Now they just mean something else -- you're a premium subscriber.

by fortran77

4/21/2025 at 7:12:47 PM

This is absolutely correct—I remember quite clearly how it all went down. When Twitter first rolled out verification, it was supposed to ensure that the person you were following or interacting with was the person they claimed to be.

by wyclif

4/21/2025 at 8:04:35 PM

This was also because there were so many people setting up fake accounts using real celebs. The most famous of which was probably the Dave Chapelle, Kat Williams story that Chapelle tells where a fake Chapelle account was feuding with a fake Kat Williams account.

https://www.youtube.com/watch?v=7_Egh9mW5y4

by burningChrome

4/22/2025 at 11:25:19 AM

I use the word "gutted" to refer to the level of trust in the old system that was abandoned in the identical-looking new system.

The correct way to have rolled that out would have been a brand new icon, but they wanted to cash in on the reputation of the old system. "Now you can pay for this once-coveted badge!"

by hombre_fatal

4/22/2025 at 1:26:46 PM

They sort of did because there's the grey and gold checks for government officials and official corporate accounts.

by fortran77

4/21/2025 at 9:30:08 PM

The problem is that X (formerly Twitter) is still calling blue checks "verified". Even though nothing about the account is verified. It's deliberately misleading.

by NelsonMinar

4/21/2025 at 6:22:44 PM

What’s stopping me from making an org that hands out verifications to anyone?

by righthand

4/21/2025 at 7:44:53 PM

Nothing: anyone can hand out verifications to anyone they'd like.

Now, how those are displayed is up to the display software. BlueSky themselves get to decide who gets a blue check based on verification records, but if you wrote your own software, you could do whatever you'd like. There's a bsky fork that already has an account option to let you hide blue checks in your own view.

by steveklabnik

4/21/2025 at 8:07:36 PM

If anyone can hand out verifications to anyone they like then we’re back to square one. Why do we need these “Blue Checks”? It feels like BlueSky is trying to reclaim the lost clout for some of their influential users.

by FlyingSnake

4/21/2025 at 8:10:46 PM

It's in line with the protocol design. If only BlueSky themselves could verify, that'd be too centralized.

Mind you, just because anyone can create a verification record doesn't mean that the default client shows them.

> Why do we need these “Blue Checks”?

Normie users care about this sort of feature.

by steveklabnik

4/21/2025 at 8:20:43 PM

> Normie users care about this sort of feature.

That’s a really weak argument because normie users want TikTokified social media with a clout based caste system. I thought BlueSky had a different goal in mind.

by FlyingSnake

4/21/2025 at 11:01:31 PM

BlueSky wants to make a social media platform that normies want to use. The whole idea is to design a protocol that can achieve huge scale and behave a lot like existing social media apps (which people "like") while still being open and flexible.

by anon7000

4/21/2025 at 11:28:51 PM

> BlueSky wants to make a social media platform that normies want to use.

If true, they are failing—badly.

by erichocean

4/22/2025 at 7:25:22 AM

Even if that were true, which it's very easily argued not, that would be even more of an impetus to implement things that "normies" want, not less.

by krainboltgreene

4/21/2025 at 8:23:27 PM

Bluesky cares about both audiences.

by steveklabnik

4/22/2025 at 1:15:23 PM

>Normie users care about this sort of feature.

They don't, but the original Twitter Bluecheck elites who ran to Bluesky really do

by whywhywhywhy

4/22/2025 at 3:06:25 PM

That's not what I'm seeing, but you do you.

by steveklabnik

4/22/2025 at 10:18:08 AM

I'm not sure about the details of the protocol (maybe someone can check?), but the client software can probably distrust certain trusted verifiers or even use a public list of such revocations. If this opportunity is exploited by malicious actors, there must be a simple and fast escalation path to revoke verification (you complain to verifier, then to maintainers of revocation list).

by ivan_gammel

4/22/2025 at 3:07:30 PM

> the client software can probably distrust certain trusted verifiers

Any client can do whatever they want with the information, that's right.

> or even use a public list of such revocations.

Revocation is deletion, so it's hard to enumerate revocations.

by steveklabnik

4/23/2025 at 8:39:20 AM

> Revocation is deletion, so it's hard to enumerate revocations.

In decentralized design it is not. A server can continue to list verified accounts, a 3rd party revocation list may mention some of them, a client will show only accounts not in the list as verified.

by ivan_gammel

4/22/2025 at 8:30:29 AM

We need the blue checks to combat impersonation attacks. If a malicious actor pretends to represent a New York Times journalist, or your bank, or a government agency, you don't want users to be tricked into believing them.

by azernik

4/22/2025 at 10:05:33 AM

Verification is a different thing than a "blue check". I might be against blue checks, but for sure I'm for anyone being able to hand out verifications. It creates a web of trust, and ideally one can choose who they trust and how many transitive levels.

by tasuki

4/21/2025 at 6:30:18 PM

Presumably a contractual agreement with BlueSky. Trust needs to stem from somewhere, so you’re either looking at a web-of-trust model where somebody (BlueSky or BlueSky clients) makes decisions on what sign-offs to trust, or you trust BlueSky to perform due diligence on partner orgs that provide this service and to hold them accountable when that trust is breached.

The WoT model works but as GPG has shown it requires your end users (people? BlueSky client developers?) to manage who they trust as an authority on anything.

by d4mi3n

4/21/2025 at 7:02:28 PM

Your profile says you're a security engineer, so I'm hoping you can help me understand.

What was the problem with the current DNS system? I definitely think there could be improvements like displaying domain instead of TLD but still.

And why not move into a system like multiparty keys? Keys assigned by domain holder, need to be signed, and verified accounts must login with a private key that validates. That way you don't just get that the account is validated but the post is too. Yeah, this would require more technical expertise to do but the organizations we're usually most concerned about would have no problem with that. Besides, tooling gets easier when there's meaningful pushes to make it available to general audiences

by godelski

4/21/2025 at 7:18:49 PM

There was once Handshake, but they failed mainly because they didn't want to work along side the current system, they wanted to replace it completely with a blockchain. It's actually one of the good use case IMHO, but their leadership didn't want to play nice with what we already have so transition could happen smoothly

by verdverm

4/21/2025 at 7:50:36 PM

What is appropriate here really depends on what properties BlueSky wants to assert about it's ecosystem.

> What was the problem with the current DNS system? I definitely think there could be improvements like displaying domain instead of TLD but still.

As commenters earlier in this thread have noted, one property BlueSky claims it wants to develop/maintain is resistance against BlueSky itself becoming an adversarial party--say in the event it is bought out by an eccentric multi-billionaire who may take steps to discredit certain parties or reduce their reach or reputation.

I don't think the current DNS verification methodology helps or hurts in a BlueSky is hostile scenario. I think the only issues with the current DNS username verification system as I understand it are the same issues with any DNS based verification system in that vanilla DNS was not a protocol designed to be resistant to adversarial use and as a result there are many ways for people to tamper with DNS records, DNS queries, and confuse systems that incorrectly trust DNS records to be trustworthy or well-formed. DNS cache poisoning is a thing. Domain takeovers have and will continue to happen.

Now, if we're talking about what technologies are suitable for username verification in a word where BlueSky is adversarial, we have a very different conversation. I think the scope of such a scenario extends a lot further than usernames. If your primary interface into the AT Protocol feed is the BlueSky website or the official BlueSky application, you are trusting BlueSky to validate usernames. An adversarial BlueSky could easily decide if your interface marks someone as trusted or untrusted without your knowledge.

The only way I could think to avoid this would be to use a different interface to the global feed, but then you run into new problems that are more difficult to avoid: the fact that most BlueSky users don't host their own data (though this is doable with https://atproto.com/guides/self-hosting). BlueSky also manages the global feed, so barring a competitive global index, you'll still be consuming a feed curated by BlueSky's AT Protocol services and implementation.

I'd close this by saying I am _not_ an expert in the AT Protocol, BlueSky's systems, or this space in general. This is a very fast and loose risk assessment I made after reviewing the AT Protocol and a bit of research on how BlueSky says it provides it's services. My current assessment is that if the community wants to be robust against BlueSky becoming adversarial, there needs to be a lot more support for self-hosting of PSPs and similar data stores, alternative global indexes, and likely also independent governance of the AT Protocol itself.

by d4mi3n

4/21/2025 at 8:54:19 PM

Thanks for the insights and disclosure. While maybe not a expert in the AT Protocol, certainly you are closer to the issue than myself and presumably most users.

Were you given the ability to make a trustless or more decentralized system is there some route you would pursue? Maybe ignoring the AT protocol so I (and others?) can get a better sense of how such systems might be employed to ensure that an arbitrary organization can build defenses against themselves becoming adversaries (seems like a fairly useful mindset in general).

by godelski

4/21/2025 at 10:07:00 PM

> Maybe ignoring the AT protocol so I (and others?) can get a better sense of how such systems might be employed to ensure that an arbitrary organization can build defenses against themselves becoming adversaries (seems like a fairly useful mindset in general).

There are ways to do this, but being trustless in the context of a social network is a thorny problem I'm not sure I can provide an answer to. The whole purpose of such networks is to enable communication with people you may not necessarily know (or trust). Furthermore, you implicitly trust the medium in which you use to communicate (BlueSky, Twitter, SMS, Zoom, etc.).

There are ways to make things difficult for a service provider; you see many of them in high security contexts. For example, when storing data on AWS GovCloud or similar, you have the option have AWS use user or company provided encryption that they do not have control over. Should AWS be compromised in some way, they would still need to have your cryptographic keys in order to access unencrypted data (https://docs.aws.amazon.com/AmazonS3/latest/userguide/Server...).

Another approach is message signing. An example of that is PGP signing of emails or files. You can use these cryptographic signatures to verify a message (email) or binary blob (file) has not been tampered with.

Another common approach, which you have alluded to, is some kind of multi-party scheme. Many cryptographic blockchains are good examples of this: You need a majority of parties in such schemes to agree on something for it to be considered valid or true.

A combination of these things can be used to make it more difficult for a service provider to be compromised or act against their user's interests. Sadly, this does not make it _impossible_ for them to do so. A user or customer who doesn't want to tolerate the worst case scenarios here still needs to make their own back ups, decide what entities to trust, and ensure they have robust procedures for doing things like trusting new entities or managing cryptographic material.

I'll also note that there are in fact live examples of such systems if you look for them. See IPFS for one such example: https://ipfs.tech/

by d4mi3n

4/21/2025 at 6:32:07 PM

Bluesky's moderators, apparently.

> For example, the New York Times can now issue blue checks to its journalists directly in the app. Bluesky’s moderation team reviews each verification to ensure authenticity.

by derefr

4/21/2025 at 7:34:39 PM

That sounds in conflict with “The company is a future adversary”

by dymk

4/21/2025 at 9:47:55 PM

It's no more than any client only showing the information it wants to; anyone can verify anyone else, without permission from the company. Any client can surface this information in any way they'd like, without permission from the company.

by steveklabnik

4/22/2025 at 7:34:33 AM

Regardless of the intent or future this is an incredibly neat rhetorical trick that Bluesky's designers have pulled. Any semi-motivated contrarian can make the required arguments for either concern. It even happens to be true!

Meanwhile every mastodon discussion required (requires?) someone who deeply understands the system to spend "10 comments deep" energy just to arrive at a much less amenable position.

Signed, a person who was that someone.

by krainboltgreene

4/21/2025 at 7:15:59 PM

Nothing, however AppViews like Bluesky decide which verifiers they trust. An AppView could also allow for user choice, like how algos and moderation work.

by verdverm

4/21/2025 at 9:44:48 PM

deer.social already allows users to set a preference to turn off all verification badges, for example.

EDIT: so does bksy.app, actually.

by steveklabnik

4/22/2025 at 6:21:31 AM

There are also labelers emerging to hide, mute, or block verified accounts... for those who are really zealous against the concept

by verdverm

4/22/2025 at 3:09:54 AM

The fact they have to be reviewed by bsky before verification? It's in the article if you actually read it.

by waterTanuki

4/21/2025 at 6:46:23 PM

The problem with Twitter (before the whole blue check system was gutted into meaninglessness) was that verification badges were merit and nepotism and not identity based

by TiredOfLife

4/21/2025 at 7:02:58 PM

That’s not true though. They were for journalists and public figures.

by mattl

4/21/2025 at 7:33:14 PM

Here is probably the most well-known instance of Pre-Musk Twitter removing blue checks from the accounts of public figures for reasons other than the account not being who it claims to be:

https://techcrunch.com/2017/11/15/twitter-removes-verified-c...

Not pictured: innumerable other accounts which were never granted a blue check in the first place, despite being the easily verifiable real accounts of journalists and public figures.

It was de facto a caste system of political favor and connections.

by comeonbro

4/21/2025 at 8:08:18 PM

Nearly everyone I interacted with on Twitter (pre-Musk) got their verification badge by essentially being in the San Francisco tech community.

No matter how prominent someone might be on this side of the Atlantic, it never mattered, meanwhile mid-managers and coders at no-name startups had blue checks because, I mean, they knew someone at Twitter- and who else is verifying people? I don’t really fault them for verifying people they personally knew.

But it meant that you had a situation where (and no offence meant to them) “nobodies” (as in, non-promenant figures) were “in the club” with heads of state, companies and heads of industry.

So there was a definite whiff of nepotism, because it was a de-facto status symbol.

by dijit

4/21/2025 at 9:06:47 PM

Yep, same with "journalists". Publication companies were given a fast-track process that basically allowed them to hand out verifications to anyone who ever had a byline with them. The most reliable way to get verified was to sell some words to an online news website. It didn't matter how notable you or the publication were.

When GP says "that’s not true though" I can't even tell which part he is talking about. This is fairly recent and well-documented stuff.

by albedoa

4/22/2025 at 12:04:10 PM

Except journalism was happening on Twitter, so by restricting verification to more or less legacy media—-an elite circle of Columbia/NW/Ivy grads that is what, 5% merit-based—-it becomes somewhat of a caste system.

by vehemenz

4/21/2025 at 9:54:57 PM

Why is it "meaningless overnight" on Twitter? Twitter knows who you are if you're paying them montly. Ergo, you are "verified".

by ein0p

4/22/2025 at 2:20:25 AM

Because the original point of it was to distinguish journalists and public figures, so you could tell imposters apart from real people. Now its purpose is to show who has a premium subscription. Totally different feature using the same name.

by lexandstuff

4/22/2025 at 3:00:31 AM

But not all "journalists and public figures" received the checkmark. It was entirely up to the ultra-woke Twitter management who gets a checkmark and who doesn't. I frankly don't see why the current, deterministic setup is better than the former non-deterministic one.

by ein0p

4/23/2025 at 6:30:18 AM

You don't know what "ultra-woke" even means. And citation is needed on "deterministic".

Unless you mean deterministically ultra-fascist.

by DonHopkins

4/22/2025 at 4:56:34 AM

Ultra-woke Twitter? What the hell are you blathering about?

by darthrupert

4/22/2025 at 7:32:12 AM

This, specifically: https://www.esquire.com/style/news/a45458/jack-dorsey-stay-w...

by ein0p

4/22/2025 at 9:22:19 AM

Now it's ultra-racist ultra-fascist Twitter management. Do you actually think that's better? Why are you whining about "woke" people who have long since been fired, but embracing the racists and fascists who are now running and being platformed and amplified on Twitter?

Yes, "Twitter". If Elon Musk can publicly abuse, humiliate, lie about, deadname, and misgender his own daughter to his millions of followers, than I can deadname Twitter.

by DonHopkins

4/23/2025 at 1:21:11 AM

[flagged]

by ein0p

4/22/2025 at 12:06:46 PM

It’s easy to pay for things anonymously, so no, your conclusion does not follow even if you say “ergo.”

by vehemenz

4/23/2025 at 1:22:35 AM

Do tell how I could get an "anonymous" credit or debit card - the only accepted payment methods.

by ein0p

4/22/2025 at 12:39:05 AM

Same as the current labeling/moderation service: any participant can verify any other participant. Which verifiers gets a check to appear is a property of the AppView.

If Bluesky becomes evil, you just configure your AppView not to trust their verifications.

Of course, that's the problem: right now we mostly have one AppView (bsky.app), which is the current SPOF in the mitigation plan against the "Bsky becomes the baddies" scenario.

by snotrockets

4/21/2025 at 7:34:27 PM

What happens when the government of Turkey objects to your verification?

by tedunangst

4/21/2025 at 8:18:16 PM

Coming soon from Bluesky: per-country verification.

by wmf

4/21/2025 at 9:21:50 PM

That'd certainly be a neat feature: national/regional/local governments running their own verifier accounts and providing Bluesky/ATproto verification to their residents.

by yellowapple

4/21/2025 at 6:31:08 PM

Not convinced by this.

We need a way to reflect that human "social trust" is born distributed, and centralising trust subverts it. But here, while they introduce third party verifiers, rather than individuals deciding which verifiers to trust, bsky is going to bless some. So this is just centralised trust with delegation.

by ajb

4/22/2025 at 3:15:29 AM

What's missing from the blog announcement is that on the at protocol, anyone can publish a verification of any account. It is then up to each client to decide which verifiers to display / trust / etc.

With that in mind, it seems like bluesky is trying to thread the needle on providing tools for the community to do their own verification (via the protocol) while also making their own client "notable user" friendly (via blessed verifications that show blue checks).

I also don't see why it wouldn't be possible for someone to build a labeler that shows verifications from non-bluesky blessed sources. Then community members could subscribe to that labeler to get non-blessed verifications that they choose to show. It wouldn't show up as a blue check but it would still show up on the user's profile in bluesky.

It would look something like this existing "verification" labeler that doesn't use the underlying verification feature on the protocol but instead has to maintain the data in a 3rd party store: https://imgur.com/a/tXR4FUu

Additionally, third-party clients like Pinksky or Skylight could choose to show blue checks or whatever UI for any verifiers they choose. All the data is on the protocol now, so the 3rd party clients wouldn't need to do the verification themselves.

by healsdata

4/22/2025 at 6:09:02 AM

Very interesting; thanks. So it is possible on the tech side, but needs organisations to take advantage.

by ajb

4/22/2025 at 12:41:41 AM

Human social trust works great at small scale. You go to Jim the butcher because everybody you know in town regularly goes to Jim the butcher and they know he's been making meat pretty well for a long time.

An automated version of this system might say "we verify anybody who at least N people within 3-4 steps of your followers graph are also following."

In a big city, you go to the store that's labeled "Butcher" and figure that, because the building is quite permanent and there's a lot of butchery stuff in there and it seems clean and there are people going in and out, then it's probably a fine butcher shop. No real "social" trust involved.

An automated version of this is probably domain checking, follower count, checking that N other 'verified' accounts follow it, some basic "is this a known malicious actor" checks, waiting until the account has some age, etc. Still kind of distributed, but not really relying on your own social trust metrics.

What's fun is that Bluesky allows you to implement both of those mechanisms yourself.

by CobrastanJorji

4/21/2025 at 6:48:20 PM

I don't see what the problem was with using domains. If you're trying to claim you work for NYT then get a NYT verified account?

And what ever happened to Keybase? That seemed like a good solution. Verify by public private key? It really seems like that could be extended. I mean we have things like attribute keys and signing keys. It seems like a solvable solution but just the platforms need to create a means for the private bodies to integrate their keys.

Hell, I wish we'd have verification keys for cops and gov employees. So me a badge? No, show me a badge with a key I can scan and verify your identity. It's much harder to forge a badge with a valid key than it is to forge a badge that just looks good enough

by godelski

4/21/2025 at 7:46:44 PM

> If you're trying to claim you work for NYT then get a NYT verified account?

Part of the problem here is consistent identity over time. People do not like changing their handles unless they want to. I'm steveklabnik.com now, but if I started working at the NYT, and had to switch to steveklabnik.nyt.com, old links break to my posts, etc. And what happens if I want to be verified by more than one org at a time? Domains (at present) can't do that.

by steveklabnik

4/21/2025 at 9:05:18 PM

  > old links break to my posts

Do they? I didn't observe any breaks when I did my DNS verification.

  > People do not like changing their handles unless they want to

I don't see it that way. On both twitter and BlueSky there are two handles. I'm sure there's a better term, but let's say "display handle" and "address handle". (On HN they're the same) People are paying attention to the Display Handle and not the address one. Most of the time the address one is even cut off and is partially hidden anyways.[0]

  > what happens if I want to be verified by more than one org at a time?

First off, it doesn't seem like Bluesky's implementation will do this so I'm not sure why it is being brought up into this conversation.

Second off, I agree that this is a desirable thing to have. It is why I was suggesting something similar to keybase (keyoxide?) or attribute keys. It definitely seems like Bluesky is intending to do something similar to the attribute keys but there's some details lacking and seems like an existing verified user needs to vet an entity prior to their ability to distribute keys. I'd also be quite happy if there was a publicly visible ledger so one could see former verifications (it's all visible via the firehose anyways, right?).

[0] And there's the classic problem on typing "@" and then the person's name and not actually finding them because the search system is fucked up and is looking for the address handle. I've seen this on both sites, more frequently twitter, and even when typing the address handle directly. Apparently this is a harder problem than I'd have thought (particularly replying to someone in the thread...)

by godelski

4/21/2025 at 9:54:44 PM

> Do they? I didn't observe any breaks when I did my DNS verification.

I went to one of my posts and clicked "copy link to post." that gives me an URL like this:

https://bsky.app/profile/steveklabnik.com/post/3lndppxy7xc2a

If I change my account to `steveklabniklol.com`, then this URL wouldn't work, as that url turns into

https://bsky.app/profile/steveklabniklol.com/post/3lndppxy7x...

See here for more: https://github.com/bluesky-social/social-app/issues/1221

> People are paying attention to the Display Handle and not the address one

I agree, and that's why people don't like changing it.

> it doesn't seem like Bluesky's implementation will do this

It does.

by steveklabnik

4/23/2025 at 7:06:31 PM

  > I went to one of my posts

Sounds like this could be solved by redirects? Sure, may get a little confusing if/when someone takes that username after it was abandoned but it seems worth the trade given the implementation. Really it depends on how they're handling the links. I'm not a web person so this may be very naive, but it definitely seems like a solution is that all handle-based links are really just proxies for DID based links. If they're all DID on the backend, then I don't see the problem. You're just building a growing ledger (which is happening anyways and seems like a bigger problem). Of course I'm willing to acknowledge my naivety here and wouldn't be surprised if I'm working with a bad mental model that's leading to poor solutions. If this is a terrible solution I'd appreciate the learning opportunity so I can better understand.

by godelski

4/25/2025 at 5:13:22 PM

You've got a handle on it, roughly. The issue is exactly when/if someone takes a username. The tension is between links using the did, which wouldn't ever break, and the nice URLs that normal people expect to see. If that didn't exist, they could just always use the DID link and it would be fine.

But regardless of what could be done, I'm just talking about what is the case right now. Which is that they break.

by steveklabnik

4/21/2025 at 10:00:13 PM

This seems like a perfect use case for `alsoKnownAs` being an array (which is already the case AFAICT). My primary handle (i.e. the first entry in the array) would still be @yellowapple.us, but with secondaries under the domains of affiliated orgs.

by yellowapple

4/21/2025 at 10:07:42 PM

Yep, I'd love to see it, and you're right that it is.

I think that doing this raises a lot of product questions, so I'm not shocked they haven't done it. But I'd like it if they would.

by steveklabnik

4/21/2025 at 7:49:17 PM

I feel like this could be solved with organizations like Github. Steveklabnik.com can belong to the NYT umbrella org. Like on Github, you can either be kicked out or leave the org if you wish.

by 9283409232

4/21/2025 at 7:50:47 PM

Right now, while it's possible to have a DID associated with multiple domains, the Bluesky app view only supports the first. Doing something like this could work, but would be a larger lift.

I do agree that multiple domain-based identities would be a nice feature though.

by steveklabnik

4/21/2025 at 6:57:12 PM

> And whatever happened to Keybase?

They got acquired by Zoom and promptly put Keybase into maintenance mode.

by detectd

4/21/2025 at 7:04:34 PM

> I don't see what the problem was with using domains.

DNS for your average user is too complicated. Also what should the domain name be for a journalist at the NYT? What if they leave the NYT?

by mattl

4/21/2025 at 7:15:26 PM

  > DNS for your average user is too complicated.

The average user doesn't need verification either.

In fact, I don't think I want most users verified. It then creates a reverse incentive where anonymous accounts are distrusted by default and too much trust is given to verification. An important part of a system with free speech and not governable (the point of distributed) is to be able to freely speak. Sometimes that means hiding your identity. Especially for those in countries or societies with particularly authoritarian rule. The best way to keep people quiet is to make them afraid of their neighbor.

  > what should the domain name be for a journalist at the NYT?

AliceBob@NYT

  > What if they leave the NYT?

AliceBob@bsky.social

Everyone has the bsky.social handle, so you revert. I'd even be happy if optional profiles could show former affiliations. But it doesn't seem like a big problem. I mean NYT shouldn't be verifying a journalist if that journalist is no longer at NYT. Their new employer should.

by godelski

4/21/2025 at 6:35:58 PM

Are there any good examples of a working "vouch" system? I vouch for a few friends, they vouch others, etc. But if my credibility is revoked, everyone downstream of me is either yanked or needs a new voucher.

by TheJoeMan

4/21/2025 at 6:45:46 PM

A long time ago there was this “web of trust”, I don’t think it exists anymore. Was one of the big CA and you could get different certificates through some form of vouching, I think it even went as far as meeting people to show your ID and then they sign you or something. As it was run by a big CA, not really distributed but IIRC they kept their involvement minimal. It’s been a long time but if you’re curious maybe look into that

by fp64

4/21/2025 at 6:55:52 PM

It might have been Keybase?

Keybase got acquired back in 2020 and it's popularity -- at least among cypherpunks, seems to have dropped off.

https://keybase.io/

by runjake

4/21/2025 at 6:59:57 PM

Keybases popularity falling off a cliff isn't really surprising, their venture into shitcoinery already put them on thin ice with the anti-cryptocurrency crowd, and then development basically ceased overnight after the Zoom acquisition. I don't know why they're even bothering to keep the lights on, it's been five years of radio silence at this point.

by jsheard

4/21/2025 at 7:05:58 PM

keybase had promise early on but kinda lost the plot. the vouching system was neat in theory but never really caught on outside a small circle. the crypto stuff definitely didn’t help, and once zoom bought them it was basically a ghost town, no roadmap, no real dev activity, just inertia.

feels like identity + trust systems keep coming back around but never quite stick. maybe too hard to balance usability, decentralization, and adoption all at once.

by lgiordano_notte

4/21/2025 at 11:08:01 PM

I tend to think the ecosystem is vastly dominated by established solutions. In order for a New Thing to win, it needs to be at least an order of magnitude better and more usable, or the network effect obliterates it.

by binary132

4/22/2025 at 2:22:43 AM

Could it also be that social media sites depend on commingling “daily active users” vs “number of unique humans” for having high numbers? A web of trust would establish one live person per account, somewhat like Facebook had a policy for.

by TheJoeMan

4/22/2025 at 4:20:15 AM

Keybase was great. The idea behind it (using private key to prove your identity) is the idea behind some of the default methods for the Decentralized Identifier (DID) standard: https://www.w3.org/TR/did-1.0/

There are some good ideas there (and Bluekey uses DIDs: https://atproto.com/specs/did)

by nl

4/21/2025 at 7:06:14 PM

I feel like keybase was a good idea but needs to be redone. I guess there's keyoxide (any other?). What are people's thoughts on that?

https://keyoxide.org/

by godelski

4/22/2025 at 9:29:59 AM

You'll find that most self-described "CypherPunks" are just "CryptoShills".

by DonHopkins

4/22/2025 at 2:24:49 AM

You're thinking of the Thawte Web of Trust: https://en.wikipedia.org/wiki/Thawte which was run by Mark Shuttleworth (now of Canonical). The certificates were used for email, not for SSL. I lost track of what happened to it after CACert took over.

by ghewgill

4/22/2025 at 4:58:38 AM

Yes, exactly! Thank you!

by fp64

4/21/2025 at 6:54:34 PM

CACert.org, but they were never included in any major trust store.

by duskwuff

4/21/2025 at 9:17:11 PM

There is a p2p social network (as in, people offering there services whatsoever) in France that does exactly this: it's called "Gens de confiance". It works well, although it creates kind of a gated community (as intended: it is mainly meant for upper-class social circles).

by aunetx

4/21/2025 at 6:47:16 PM

My initial thought is about GPG's "Web of Trust" system for trusting strangers' keys. But I don't know if that's a very good example since it always seemed somewhat esoteric and maybe not very successful in general.

by benwilber0

4/21/2025 at 6:47:32 PM

"Working" would be a stretch, but this is how "web of trust" systems like PGP are supposed to function. Although I would say the BlueSky system sounds like it could skirt some of the pitfalls of web of trust because verifiers can also be trusted to revoke verification.

by giaour

4/21/2025 at 11:11:56 PM

certificate authorities…?

by binary132

4/21/2025 at 6:36:53 PM

I think the more exclusive private torrent trackers usually work on that basis.

by jsheard

4/21/2025 at 6:39:54 PM

ArXiV. Though they don't revoke papers that way

by godelski

4/21/2025 at 9:51:18 PM

Google Pagerank

Could use follows, retweets, etc instead of page links

by paulsutter

4/21/2025 at 7:21:39 PM

Apps on ATProto get to decide for themselves. Another Bluesky client, or a completely different app, can make different choices. Users can then decide which interface they want to use. All part of the design of ATProto

by verdverm

4/21/2025 at 9:28:47 PM

Ironically, Twitter's mechanism of auto-verifying anyone over 1M followers kind of achieves this.

by dbbk

4/21/2025 at 9:51:34 PM

IMO a system of "I vouch for these accounts" and "I trust the accounts these accounts vouch for, and the accounts those vouched for vouch for up to x levels deep" would be a workable solution.

by Akronymus

4/21/2025 at 5:22:59 PM

I built handles.net[1] to make it easy for organisations to manage their member's handles, I think that using domain names for identity is neat and valuable, I have a vested interest in its success as a paradigm but... domain name "verification" is not the right solution today for non-technical people. I shared this sentiment a few months ago[2] and I have only become more confident in that assessment since.

The approach they've taken ("trusted verifiers") is an approach aligned with their values, as it is an extension of the labelling concept that is already well established in the ecosystem. As an idealist, it is a shame that they gave up, I think they could have had an impact on shifting how non-technical people view domain names and understand digital identity... but as a pragmatist, this is the right choice. Bluesky has to pick their battles, and this isn't a hill to die on.

[1] https://handles.net [2] https://news.ycombinator.com/item?id=42749786

by shrink

4/21/2025 at 10:08:54 PM

> The approach they've taken ("trusted verifiers") is an approach aligned with their values, as it is an extension of the labelling concept that is already well established in the ecosystem.

That just leaves me wondering why they bothered with a new separate system instead of just using the existing label system. A "verified by bsky.social" or "verified by nyt.com" or whatever label would do the job perfectly well, no?

by yellowapple

4/21/2025 at 10:12:34 PM

I would have liked to have seen a justification for this as well. One thing about labels is that they can apply on a per-post granularity as well as a per-account granularity, but verification is purely account-level. Another is that they have slightly different semantics, you can lose your blue check if you change your handle or display name, but labels stay the same no matter what. That's probably the real justification for making it its own feature.

by steveklabnik

4/21/2025 at 10:48:15 PM

Both of those things sound like all the more reason why labels should've been the preferred approach here:

> they can apply on a per-post granularity as well as a per-account granularity

I might want my verification to apply on a per-post granularity. For example: if I'm speaking on behalf of my employer, then my post should reflect that, whereas my usual shitposting and pet projects probably should not reflect that. Currently the only solution there is to have entirely separate accounts (which might not be unreasonable even with post-level verification, but still).

I'm also left wondering about the temporal aspects of verification. My employer might verify me as one of their employees now, but not necessarily a year from now. Per-post verification would reflect that I was authorized to speak on my employer's behalf at the time I made posts to that effect, without retroactively implying that for posts I made before I worked for that employer, and without that verification needing revoked for those posts after I stop working for that employer.

This is all admittedly a long ways off from what Bluesky probably intends with its new verification feature, but I guess what I'm getting at is that if labels can already do per-account and per-post granularity then having a second kind of label that's only per-account and doesn't offer anything that normal labels can't already do doesn't seem all that valuable.

> you can lose your blue check if you change your handle or display name, but labels stay the same no matter what.

That seems reasonable (but IMO questionably necessary) for handle changes, but rather unreasonable for display name changes.

by yellowapple

4/22/2025 at 1:08:25 AM

> For example: if I'm speaking on behalf of my employer, then my post should reflect that, whereas my usual shitposting and pet projects probably should not reflect that

First of all, verification is about identity, not about on whose behalf you're speaking. These concepts are linked, ie if NYT verifies your identity, that might look like an endorsement. I feel like using verification to communicate information about endorsement is not a good idea. On social media, its significantly more important that if you say you're John Doe, that's who you are than it is for users to know if some org endorses your opinions. The extra effort/risk/friction to also communicate endorsements is not in balance with the extra value.

Besides this, its probably a good idea to keep your shitposting and spokespersoning to separate account

by NoahZuniga

4/21/2025 at 11:04:30 PM

> Both of those things sound like all the more reason why labels should've been the preferred approach here

Sure, what I'm trying to describe is the various differences so we can speculate why they may have made the decisions that they did. "more flexibility is always better" is a valid choice, but it may not be theirs.

> That seems reasonable (but IMO questionably necessary) for handle changes, but rather unreasonable for display name changes.

I call this the "jaboukie problem," and it's effectively necessary for this kind of feature. Jaboukie Young-White is a comedian who, every time Twitter verified him, would change his account to impersonate another, and then make an inflammatory post "as them." The blue check lent legitimacy to this. It was hilarious, don't get me wrong, but it does undermine trust in the feature.

by steveklabnik

4/22/2025 at 4:51:46 AM

At this stage, labelers still require a fair amount of work to setup and operate. We didnt want it to be difficult for people to issue verifications

by pfraze

4/23/2025 at 8:08:25 AM

So what's the process for people to issue verifications? Where is that documented?

by yellowapple

4/24/2025 at 5:02:33 PM

You create a record in your PDS. Here's the people I've 'verified' for example: https://pdsls.dev/at://did:plc:3danwc67lo7obz2fmdg6jxcr/app....

There's no UI to do it. It's not currently intended to be a generalized feature, but because the protocol is, it's forwards compatible with eventually doing that if they decide to.

by steveklabnik

4/26/2025 at 7:13:41 AM

That's what I'm getting at, though: I'm glad (and already aware) it's straightforward from a protocol level to implement custom verifiers, but if you're having to dig down into the protocol level to implement them then that doesn't sound like they're actually easier to implement than labelers (which is what Paul's implying above).

I'm assuming the New York Times ain't hand-inserting records into their account's PDS, which means they probably have some kind of UI already in place. I also wouldn't be surprised if people already built their own third-party applications to this effect (sounds like deer.social already allows users to specify their own verifiers, and I'd be entirely unsurprised if they extend that to allowing users to verify each other directly, too - if they haven't already done so). Still, that hardly sounds less difficult than the current labeler situation.

by yellowapple

4/22/2025 at 5:50:22 AM

That's a good reason too!

by steveklabnik

4/22/2025 at 8:02:33 AM

also, it's nice that verifications are easily enumerable, unlike labels

by mozzius

4/21/2025 at 5:39:46 PM

Yeah my initial reaction was not too positive. There's something weird to me about simply delegating verification to a third party organization. I'd prefer a more pure solution. Maybe we don't have a solution yet that is simple enough for widespread adoption. The domain based identity does seem a bit too complicated for the average user.

by adityavinodh

4/22/2025 at 1:21:03 AM

> it is a shame that they gave up

They didn't really give up, though - the domain verification still stands and is just as powerful as ever.

by Retr0id

4/21/2025 at 7:29:51 PM

It’s ironic that many comments are skeptical of strong centralized moderation, but they’re posting these comments on a forum with perhaps the strongest and most centralized moderation team of the entire internet.

All I’m saying is that if weak moderation has had a positive effect somewhere, it’s worth showcasing that. Otherwise the evidence is decisively in favor of strong moderation.

In terms of how to keep the moderation team from deteriorating, other platforms could learn a thing or two from HN: put someone competent in charge of the team, and give them lots of incentives to do well.

by sillysaurusx

4/21/2025 at 8:36:17 PM

HN moderation is easy mode because it's a small site and politics is "banned". Trying to do HN-quality moderation of political discourse among millions of users seems impossible.

by wmf

4/22/2025 at 5:30:48 AM

>it's a small site and politics is "banned".

Well, the “wrong” politics are.

by SV_BubbleTime

4/22/2025 at 6:53:42 AM

Yes, HN is turning into Reddit, am I right?

Don’t mistake banned for politics with getting downvoted because your arguments don’t hold up.

by JohnKemeny

4/21/2025 at 7:41:06 PM

There are a lot of users that have complained about the s-banning on this site. While the moderation team of this site seems to be well-intentioned, it does inevitably lead to a very strong slant. S-banning users doesn't make them or their viewpoints go away. They just end up happening elsewhere.

Because those conversations do end up happening elsewhere, this site is famous for leaving readers with a strongly false impression of what viewpoints are actually popular among whatever you would want to call this Silicon Valley hacker / VC scene space.

The highly insidious thing about censorship is not only you don't know what you're not seeing but you don't know you're not seeing it -- you don't know what's missing.

by DevOps72

4/22/2025 at 5:02:59 PM

>Because those conversations do end up happening elsewhere

All research shows the opposite in fact. Adding friction to something causes a chilling effect in nearly any and all examples we have ever paid attention to. When you remove easy access to guns, people kill themselves less despite there being other easy ways to do so. When reddit banned a bunch of toxic communities, the entire site had less toxicity, even on subreddits that were unrelated to the toxic communities

Friction works. It works insanely effectively too.

by mrguyorama

4/21/2025 at 6:58:28 PM

This is better than twitters nonsensical verification but still does not close the loop all the way. I think what is needed are a set of equivalency verification's. Sort of like the domain verification used in getting a TLS certificate.

Something like

    bluesky user X is equivalent(has control)
    to domain A(domain verification)
    to youtube account B (youtube verification)
    to mastodon account C (mastodon verification)
    to D@nytimes.com (email verification)

So logically I would expect a protocol that allows cross domain verification. Best I can come up with is something that works sort of like domain verification extended to user@domain verification. that is, a better engineered version of "make a youtube video with the string 'unique uuid code' in the comment" so that we can verify you own that youtube account"

The problem is that some domains would have no problem standing up this sort of verification. The Times only benefits from verifying it's employees. However I can see fellow social media sites balking as this equivalency weakens their walls that keep people in.

by somat

4/21/2025 at 7:07:03 PM

What you're proposing is reminiscent of Keybase's account verification system. You make a post or equivalent on each platform with cryptographic proof that it's you. (e.g here's mine for GitHub https://gist.github.com/ammaraskar/0f2714c46f796734efff7b2dd...).

by ammar2

4/21/2025 at 7:07:20 PM

keybase.io

by toss2025away

4/22/2025 at 5:25:34 AM

> Additionally, through our Trusted Verifiers feature, select independent organizations can verify accounts directly.

As someone who believes in equal access and privilege, this is just horrible. "Trusted Verifiers" - how does the bsky team decide which orgs can be trusted? One could argue that this is worse than Twitter. And of course, the echo chamber is going to get worse.

by jeswin

4/22/2025 at 6:10:07 AM

> how does the bsky team decide which orgs can be trusted?

read again, slowly perhaps about first layer of verification.

by dvrj101

4/22/2025 at 7:35:10 AM

It's the same as "Trusted flaggers" under the EU's DSA. Nobody trusts them. Just like when non-democratic countries call themselves "Democratic Republic".

by sunaookami

4/22/2025 at 10:05:44 AM

> It's the same as "Trusted flaggers" under the EU's DSA. Nobody trusts them. Just like when non-democratic countries call themselves "Democratic Republic"

Trusted flaggers literally need to publish transparency records and are approved by orgs in EU countries under elected governments.

If you say that is all bullshit and EU is a North Korea and North Korea is a shining example of democracy then you should probably remove your dig at DPRK's self naming;) Because your own comment measures non-democratic countries by the standard of democratic countries. if you want to be wrong be consistent at least

by throwaway290

4/22/2025 at 1:06:07 PM

Trusted flagger can flag anything they want and it will be removed in any EU country even though it's not illegal there. The list includes organizations like "REspect" which is infamous in Germany for removing criticism of politicans leading to police raids and fines for people (so called "hate speech"). This "private organization" is literally funded by the government.

>EU is a North Korea and North Korea is a shining example of democracy

I've never said that.

by sunaookami

4/22/2025 at 4:21:38 PM

> I've never said that.

You alluded to EU DSA being like non-democratic countries with "democratic republic" in their name. Yes I exaggerated your point.

by throwaway290

4/22/2025 at 8:41:03 AM

[flagged]

by DecentShoes

4/22/2025 at 5:46:54 AM

bluesky is the twitter alternative for people who want more censorship and echo chambers

there’s nothing surprising about this

by ndjeosibfb

4/22/2025 at 6:34:29 AM

Being on both until recently, BlueSky feels less like an echo chamber than X to me.

Censorship is a negative frame when it also provides healthy platform moderation and safety.

by hashstring

4/22/2025 at 8:05:08 AM

Maybe BlueSky has changed since last I looked, but it used to very progressive activist politically. On Twitter I can see right wing, centrist and left wing commentary.

by concordDance

4/22/2025 at 3:05:11 PM

Yeah, I’d consider checking in again. In the very beginning, some viewpoints used to be more dominantly represented than now, as many new people have joined BlueSky from X since.

by hashstring

4/22/2025 at 11:34:31 AM

BlueSky is never a counterpart of Twitter. It's closer to that of SocialTruth.

I think even the default subs on Reddit are far less progressive than BlueSky.

by raincole

4/22/2025 at 3:03:53 PM

Are you talking Twitter or X? X is in many ways much closer to TruthSocial than any other platform currently is [1] [2]. The only thing that grounds X a bit is the (old) Twitter user base that’s still on there, which is and has been declining.

It’s also interesting that your view of progressive might be different than mine. In this current age, I guess even advocates for DEI are considered too “progressive”. Which (in my opinion) relates more to a shift of right to far right, which shifts the balance, and people mistake it for what are really just centric viewpoints being “leftist”.

To me, BlueSky is the best current alternative to what Twitter originally was.

[1] https://www.npr.org/2024/10/22/nx-s1-5156184/elon-musk-trump... [2] https://www.nbcnews.com/tech/social-media/elon-musk-turned-x...

by hashstring

4/22/2025 at 4:43:20 PM

Is DEI really centrist? I thought it was progressive left... It definitely used to be.

Do we have any surveys on this?

by concordDance

4/22/2025 at 7:07:33 PM

It’s not exactly what I meant. I meant that any form of DEI is now considered “too progressive” by some, which has to deal also with right shifting to far right, which in turn shifts what is generally considered centrist.

Ultimately, DEI can mean thousands of things, and what is “progressive” left or “extreme” right to some may be centrist to others.

by hashstring

4/21/2025 at 7:57:51 PM

Hamartia: The tragic flaw that takes the hero to the top will lead its downfall.

It seems to me that BlueSky is trying to rewind the clock and be the pre-Elon Twitter. They had a decent chance to become what Signal is to messaging, but looks like they are trying to be just another Social Media company.

We’re truly in the post-social media age.

by FlyingSnake

4/21/2025 at 6:07:27 PM

I like the idea of a trust hierarchy. Bluesky verifies NYT, then NYT verifies all their journalists. Makes the entire process a lot more scalable.

by paxys

4/21/2025 at 7:00:12 PM

NYT journalists as a privileged class… With actions like this, Bluesky is not exactly beating the allegations.

by Robotbeat

4/21/2025 at 7:50:55 PM

I actually don't know what you are talking about.

by 9283409232

4/22/2025 at 1:41:28 PM

I presume he’s saying that Bluesky’s a very left wing social media platform.

by JustSkyfall

4/22/2025 at 5:06:26 PM

Calling NYT left wing is patently absurd.

They've spent the past 4-8 years platforming writers to say absolute horseshit about trans people and equivocate between Biden having like 6 leftover classified documents in his house vs Trumps bathroom of for sale state secrets.

by mrguyorama

4/22/2025 at 8:51:00 PM

Everything that doesn't worship the Emperor is left wing these days.

by 9283409232

4/24/2025 at 2:27:46 PM

Believe it or not, plenty of left wingers have a bone to pick with the East Coast traditional media establishment as well, NY Times in particular.

And the traditional media also seems to have a symbiotic relationship with Trump, whose chaos drives news ratings.

by Robotbeat

4/21/2025 at 7:58:03 PM

NYT journalists are in a different class from random Bluesky users — if they spread unfounded conspiracy theories on their corporate-approved account, they can be fired from their jobs.

Put another way, a Bluesky post saying "BREAKING: Trump dies from natural causes" from an employed NYT journo carries a different salience than the same post from a random Bluesky user.

by muglug

4/22/2025 at 5:28:51 AM

>if they spread unfounded conspiracy theories on their corporate-approved account, they can be fired from their jobs.

Or… you know… win a Pulitzer.

by SV_BubbleTime

4/21/2025 at 8:30:41 PM

Correct. I'd like the example of NYT as a verifying authority better if I trusted the Times more than I trusted some of their journalists (blessed few, mind you).

I think it's pretty hilarious that the Times, of all people, count as 'trusted'. It makes me automatically distrust BlueSky verification, which doesn't sound like the intention.

by Applejinx

4/21/2025 at 9:00:55 PM

It’s not that you need to trust the New York Times as a whole, it’s that you can trust that account is linked to that organisation. A verification tick does not imply endorsement, just that they are who they say they are.

by enneff

4/21/2025 at 10:51:59 PM

That would be nice, I guess. In normie world a blue tick is supposed to mean 'vouched for and trustworthy, also high status so you should maybe show deference'. You can say it means whatever you want, but then watch how people fight for these things and argue about/rebel against them.

In practical terms, no, they are status markers.

by Applejinx

4/22/2025 at 8:35:03 AM

If you're treating a "this person is who they say they are" checkmark as a status symbol, that's a you problem.

by azernik

4/22/2025 at 10:54:15 AM

That’s the problem with a lot of people, tho. They DO give deference to the checkmark.

by Robotbeat

4/22/2025 at 12:18:28 AM

> I think it's pretty hilarious that the Times, of all people, count as 'trusted'.

Why? Who do you trust?

by mmooss

4/22/2025 at 5:27:55 AM

I look at all media organizations skeptically. There are so many ways to distort the truth besides outright lying, and I notice this with the Times - both in what they choose to cover and their tone when covering.

With that said, the Times is one of the better media orgs. But IMO they should very much not be trusted blindly.

My media diet is a blend of various sources: The Atlantic, The Economist, The Free Press, Reason, Semaphore, Politico, New Statesman, and Axios. Even the Drudge Report sometimes.

I wish I had more right-leaning sources to follow, but I often find their content inflammatory and rage-bait-ey (before anyone complains that liberal media does this too, yes, I agree. HuffPo and similar are cancer.)

by dlivingston

4/22/2025 at 7:46:19 PM

I agree in that it's important to take it all skeptically. Also I avoid anything that exists to further a particular cause.

> I wish I had more right-leaning sources to follow, but I often find their content inflammatory and rage-bait-ey

Agreed. I recommend David French, the NYT columnist; easily the best I've read.

by mmooss

4/22/2025 at 7:53:16 AM

From my experience you can better spent time reading history than news.

by enaaem

4/21/2025 at 7:30:08 PM

The blog post is unclear on if they will only be allowed to verify accounts as being part of NYT or if they will be allowed to give out blue checks to anyone in general. It sounds like it's the latter. If not it shouldn't be a blue check at all, it should just inform users that the account is associated with NYT.

News organizations have in recent years started selling so-called "contributor" positions. Anyone with enough money can be a journalist and influence public opinion. And NYT and similar outlets are not trustworthy sources either way, they sneak edit articles when they get caught spreading misinformation but regularly don't disclose what was actually changed. Basically rewriting their reporting as the narrative changes.

by trompetenaccoun

4/21/2025 at 8:41:29 PM

> The blog post is unclear on if they will only be allowed to verify accounts as being part of NYT or if they will be allowed to give out blue checks to anyone in general.

On a technical level, any account can "verify" any other account.

On a practical level, blue checks are shown only if that verification comes from someone BlueSky trusts. Right now, that's bsky.app and nytimes.com.

by steveklabnik

4/21/2025 at 9:30:23 PM

That’s very interesting. Does It mean NYTimes can also provide a Blue Check to someone from BBC, Reuters or even from a completely different org?

by throwaway642012

4/21/2025 at 9:49:14 PM

At the protocol level, any account can verify any other account. If you have one, you can verify anyone you'd like right now. The NYT can verify any account, even ones from those organizations, or not even from a news organization.

The only difference is that Bluesky won't show a blue check for just any verification, only ones from accounts they trust. That's a social relationship, not a technical one, and so I'm sure if the NYT decided to go rogue, Bluesky would have them not be an input into the blue check any more.

by steveklabnik

4/22/2025 at 12:20:31 AM

> News organizations have in recent years started selling so-called "contributor" positions.

Which ones? I've heard of that with lower credibility organizations (Forbes, I think), but nothing like the NYT.

> they sneak edit articles when they get caught spreading misinformation but regularly don't disclose what was actually changed.

I think they correct things. I'm not sure they have ever been in the habit if notifying people of every correction, though it would be interestesting to have an edit history with diffs.

by mmooss

4/21/2025 at 6:22:12 PM

This seems like an anti-feature. The appeal of Bluesky is exactly the lack of a Twitter like central authority.

by throwawa14223

4/21/2025 at 6:35:18 PM

You mean the kind of central authority that can censor accounts at the behest of a despotic government? Bluesky is not decentralized in any meaningful sense.

https://www.turkishminute.com/2025/04/17/bluesky-restrict-ac...

by senderista

4/21/2025 at 9:26:25 PM

My understanding of that situation was that they could either remove that content from being accessible on Bluesky (the client) or have the site blocked entirely.

They landed on country-specific moderation, which is all publicly accessible and documented, allowing countries to label specific posts/contents and have them hidden in the country. Again, this is only on the Bluesky client; other clients can ignore the 'hide' label if they choose.

This is an article that details it pretty well and links to a few tools that allow you to view everything hidden by any country moderation team: https://fediversereport.com/bluesky-censorship-and-country-b...

by joshuaturner

4/21/2025 at 10:02:37 PM

What are these "other clients"?

by senderista

4/21/2025 at 10:09:28 PM

You have pure clients like https://deck.blue/

And then "soft forks" like https://deer.social/

by steveklabnik

4/22/2025 at 11:16:35 AM

Am I supposed to type my bluesky password into some random website?

Why would there be no 2FA options, like when using https://element.io for a homeserver?

by the_gipsy

4/22/2025 at 3:05:22 PM

You make an "app password" which is basically an API token.

They've recently added OAuth, but since it's pretty new, a lot of older projects haven't moved over yet.

2FA exists but only for emails right now, more to come. https://github.com/bluesky-social/social-app/issues/1071

by steveklabnik

4/22/2025 at 5:44:54 PM

Okay that makes sense, thanks! And yea, I meant OAuth, 2FA has really nothing to do.

by the_gipsy

4/22/2025 at 11:12:27 AM

So have the site blocked entirely. Let censorious despots build their own great firewalls.

by juped

4/21/2025 at 7:31:20 PM

I was misinformed about Bluesky. Thank you

by throwawa14223

4/21/2025 at 6:29:04 PM

The opposite. It’s Twitter before Twitter was turned into a campaign of degenerate malignancy, with several escape hatches built-in.

by arghandugh

4/22/2025 at 2:40:34 AM

I suppose if what you don't like about twitter is the people there (or the moderation), bluesky would make a lot of sense. I can't help but feel like the combination of catering towards businesses (verification) and people who don't like conflict (moderation) is recreating the same problem with a different demographic.

Am I anti moderation? No, not really. But the attitude blue sky users have towards it feels very much like wanting to be validated for not liking twitter('s users) rather than a forum for adults who enjoy seeing content from people wildly unlike themselves, which is what drew me to twitter 15 years ago.

by NoTeslaThrow

4/22/2025 at 6:25:38 AM

It’s quite difficult to see content on Twitter which is “unlike myself” and it’s not for grifting, from politicians, or parrots of these. Also, it’s quite boring that these people say the same thing for decades now. It’s quite simple nowadays to predict how these “unlike me” people will “think” on every single topic on social media. Usually, it’s not even their thoughts. Almost all of them are baseless parroting.

You won’t find real discussion on Twitter. It’s an attention market, and thus discussions are not incentivised at all. I found way more interesting “unlike me” thoughts in real life than on any social media in the past 7 years (and before that I was just lucky for a few years). It’s not that they don’t exist at all, but the cost of finding these is magnitudes higher nowadays on the internet than off from that. Also, who wants discussions left most of social media years ago. Most of the smarter people whom I followed left every platform as their usage became more costly. Not just Twitter.

by ruszki

4/22/2025 at 5:26:43 PM

> Also, it’s quite boring that these people say the same thing for decades now. It’s quite simple nowadays to predict how these “unlike me” people will “think” on every single topic on social media. Usually, it’s not even their thoughts. Almost all of them are baseless parroting.

You could say this about any forum on the internet, including this one. But the diversity of thought and interest here is quite small in comparison to twitter just by sheer numbers and the necessity of this forum circling the shared interest of VC culture.

Hey, I understand why people left twitter. I just don't see how bluesky improves on the actual culture of the site—the best posters never transitioned.

by NoTeslaThrow

4/22/2025 at 6:00:21 AM

Twitter is now specifically and intentionally a machine for developing degenerate people and patterns working towards degenerate ends. It is no longer a system useful for finding "unlike" entities.

As it is also the personal mouthpiece (and semen receptacle) for the richest and most deoxygenated freak ever created by our species it represents an existential threat to the continuation of a livable planet.

So yeah I guess Bluesky users do have some "attitude" towards Twitter. It's a natural consequence of distancing yourself from abomination.

by arghandugh

4/21/2025 at 7:31:48 PM

Twitter was awful before Musk and is awful in a different way now. Emulating old awful is not good just because new awful is different.

by throwawa14223

4/21/2025 at 7:34:04 PM

If you were one of the people making twitter awful before Musk, you'd prefer a service that was old awful, rather than new awful. They just want the Shah back.

by pessimizer

4/21/2025 at 8:20:47 PM

> They just want the Shah back.

Is that a reference to something? Haven't heard that phrase before.

by staunton

4/21/2025 at 9:08:07 PM

I'm guessing it's a reference to the last shah of Iran: https://en.wikipedia.org/wiki/Mohammad_Reza_Pahlavi

by AlexandrB

4/22/2025 at 12:21:13 PM

The appeal of Bluesky, initially, was that Twitter became a deranged platform. I doubt the average user is concerned with central authority insofar as intellectual and moral values inform the goings on. That, rather than centralization, is the problem with new Twitter, Truth Social, and the nihilist right-wing ecosystem more generally.

by vehemenz

4/21/2025 at 7:17:04 PM

I think I've seen this movie before and it doesn’t end with meaningful community trust. It ends with people paying for status, accounts impersonating others with a wink and a checkmark, and eventually, trust being eroded by the very signal designed to uphold it.

by kristianc

4/21/2025 at 6:56:49 PM

I'm not a bluesky user yet but in reading through the post I discovered a problem with their implementation of the ID verification.

They describe it as a "blue check" when in fact it is a white check on a blue circular background.

Just nit-picking I guess but sometimes I read a passage that describes something and I conjure an image in my mind of what I would see should I open my eyes with it all laid out in front of me. This does not fit the image that is described in the post and makes we want to question the author's observational skills.

by doodlebugging

4/21/2025 at 7:05:35 PM

It’s what the verification mark is typically called

by mattl

4/21/2025 at 9:14:44 PM

Why isn't it a blue check on a white circular background? That would make it a blue check. It doesn't matter to me since to date I am not a user, I just thought it was interesting that people would accept a non-truth as an ID verification.

by doodlebugging

4/21/2025 at 7:15:58 PM

The old blue checks were very useful as a way of knowing who was approved by the regime. So I sort of look forward to this, even if I still really struggle to even casually use bluesky.

by mhh__

4/22/2025 at 5:26:12 AM

>even if I still really struggle to even casually use bluesky

Trend.

I mean, what even are network effects!?

by SV_BubbleTime

4/23/2025 at 5:29:15 PM

More that I actively despise most of what I see on the front page

by mhh__

4/21/2025 at 7:39:53 PM

It's giving Twitter "official teller of truth" vibes

by blotfaba

4/21/2025 at 7:46:00 PM

If I was in a less charitable mood, I would categorize it as a misguided attempt at re-implementing previously failed ecosystem. But I am in charitable mood so allow me to say instead 'bold move. lets see if it pays off'.

by A4ET8a8uTh0_v2

4/21/2025 at 8:51:17 PM

Hey, I have this personal homepage. Available under a domain name. I trust myself, so I put a PNG of a blue check on it. If you don't trust me, I also have a blue check on my website that is put there by my best friend. Now you have to trust me. I guess I'm verified now, authenticated even.

The web really was better with more pseudonyms. I don't care if you are you, I can read your text, judge it on it's merits (according to my yardstick) and I basically don't care if you or other people consume information that is true or false.

Am I missing something?

by rambambram

4/22/2025 at 6:11:52 AM

thats why 4chan will always be 100 more honest then all these platforms

by stdclass

4/21/2025 at 11:19:42 PM

One of the use cases of Old Twitter was official announcements from public figures and organizations. It is useful to know if the announcement that “life has been found on mars” from “NASA” is actually from the real National Aeronautics and Space Administration account.

by mastax

4/22/2025 at 3:44:15 PM

We could always, uhh... go to NASA.gov. Weird, I know.

by jjulius

4/21/2025 at 8:58:49 PM

> Am I missing something?

The ability to put fake blue checks on your website isn't the point.

Bluesky (and the web at large) is slowly becoming filled with spam and AI-generated content. Even if you're OK with more spam (not sure why you would be but you do you), why would you be OK with more content generated by non-humans (the vast majority of which attempts to pass as human)? This just makes it harder to find needles of authentic human content in a haystack of slop.

Various levels of verification make it easier to distinguish what's real from not real, for whatever definition of "real" you prefer. Without any such verification, the web just becomes a bigger wasteland.

by kmoser

4/22/2025 at 3:58:48 AM

Real life people use AI. A good example of this is the lawyers who submit court filings with AI generated legal citations. The get caught because the citations are fake (the case cited does not exist).

by StressedDev

4/22/2025 at 3:06:40 PM

>Various levels of verification make it easier to distinguish what's real from not real, for whatever definition of "real" you prefer.

Exactly! ;) Bullshit is still bullshit, whether it's under a real name or a pseudonym. Additionally, blue checks don't stop "real/verified" people from copy/pasting AI-generated content.

by jjulius

4/22/2025 at 8:34:52 AM

> The ability to put fake blue checks on your website isn't the point.

That's my point. ;)

by rambambram

4/21/2025 at 11:38:33 PM

I've always found those blue checks to be a ridiculous idea.

Internet was intended to be anonymous.

by aboardRat4

4/21/2025 at 5:31:20 PM

Why not let users pick their own Trusted Verifiers?

by preciousoo

4/21/2025 at 6:26:24 PM

I'm guessing because users will just "verify" themselves, and then the whole thing is meaningless.

by benwilber0

4/21/2025 at 8:47:56 PM

Users can then choose to subscribe or unsubscribe from a Trusted Verifier, if one starts to act in an unsavory manner. That a Verifier exists doesn’t mean people have to use it

by preciousoo

4/21/2025 at 7:48:19 PM

In the current system, anyone can verify anyone else.

by steveklabnik

4/21/2025 at 7:48:39 PM

That's absolutely possible for them to pivot to in the future. We'll see.

by steveklabnik

4/22/2025 at 2:54:37 AM

Pardon the naive question, but could verification not be accomplished by requiring to tie a form of payment to an account? Eg, a CC or equivalent? Outsource the identity validation to other institutions (eg banks), and benefit from their deep investment into identity verification. Would that not work?

by btbuildem

4/22/2025 at 12:16:24 AM

It seems like the main problem with verification is that everyone is conflating what verification is or is supposed to be.

It doesn't mean "this person is trustworthy" it means "this person is who they claim to be". But people desperately want it to be the former, or some sort of club.

But these are completely orthogonal concepts that demand different solutions.

Bluesky should do better here though, their definition of "verified" is buried in the blog post as "authentic and notable". This is okay I guess, sort of matches old Twitter. But a bit wishy-washy.

One idea could be to link verification badges to Wikipedia (or Wikidata) entities so you understand who is confirming what about the account. "This Mark Cuban Bluesky account is the same as the Mark Cuban in this Wikipedia article" and let the Wikipedia editors fight over noteworthiness etc.

by wilg

4/22/2025 at 5:42:24 AM

It sounds like you just disagree with Bluesky's definition.

If it's only for notable people, then it is a sort of club.

by JSteph22

4/22/2025 at 6:26:53 AM

No, I'm saying they should be much clearer about what their definition is. I also suggested a way to use implement their same "authentic and notable" definition via a trusted and democratic third-party like Wikipedia.

by wilg

4/22/2025 at 2:32:21 AM

I'm trying to remember a single moment in the last twenty years of desiring identity verification and I just can't think of anything.

Maybe people trying to protect their "brand"? Is there really that much demand for branded content?

by NoTeslaThrow

4/22/2025 at 2:50:12 PM

I'm not sure what is being verified here. Except that the someone has access to a bluesky handle and a DNS record.

And even that is not a guarantee as it needs to be validated by the bluesky team, for which it helps, in their own words – to have connections with them.

Otherwise I could buy dozens of domains and spin up bots to churn out AI slop as "validated" accounts. I could buy linustorvalds.com for 25k and impersonate him.

It's still a two-tier system for clout-chasers. If you're cool enough, you get a "Officially Cool™" badge from the bsky team. If you're not, hope that a 3rd party provider decides to give you one. Or you're a second-grade netizen.

by baxuz

4/21/2025 at 11:53:34 PM

Shouldn't there be some kind of points-system to the verification?

If I am verified by 2 parties each of whom is verified by 10 parties each of whom is verified by 1 party then my verification score would be 20 (= 2 x 10 x 1).

Then people could trust me beinhg me 20 x more than somebody who is only verified by one party who is only verified by one party who is not verified by anybody?

by galaxyLogic

4/22/2025 at 5:33:01 AM

I prefer the Nostr approach that also has domain based verification, but it opens up the door for anyone with domain to do it. https://github.com/nostr-protocol/nips/blob/master/05.md

by nout

4/21/2025 at 6:11:49 PM

Good! I’ve been using a third-party labeller (which is a great hack), but making it more user friendly and official is a great thing.

I’m a proponent of verification only for “important people”. Yes, the definition of important is funny, and people may feel slighted by it: but I’ve yet to find a system that helps me identify high quality sources so immediately on a social media platform.

by pityJuke

4/21/2025 at 6:25:55 PM

I think the best way to look at things is to look at platforms that don't and have really never had issues with verification to begin with. An oddly good example is YouTube, which has a verification feature that's so uneventful and drama-free I reckon a lot of people hardly even notice it. Even fairly small scale musicians and creators, at least relatively speaking, can have verification symbols. (Of course, there can be issues with e.g. account takeovers and people changing their name/icon to try to fool you, but that's not really a problem with the verification process itself.)

The trouble with what platforms like Twitter did was by trying to stick to some definition of important, they took what should be a mundane "yep, this is the person it looks like" icon and made it into a status symbol that everyone wanted. Twitter had a hard time defining the boundaries: Shouldn't they verify their most influential users even if they're not real world celebrities or public figures? What happens if someone who is verified says something that they don't like? How do you prevent corruption when you give other organizations special privileges for verification?

For Twitter and Instagram verification, people were bribing employees and getting verification just because they joined an organization (like an eSports team or a news organization.) This was not a good status quo.

Bluesky is probably headed towards the same problem if they try to be the bearer of who's important. Obviously, you can't verify any Joe Schmoe, but honestly you can just set a reasonable threshold based on their status in the platform for as to whether or not they should be eligible to get verification. When you do stuff like say "You should be able to be verified because you work for NYT", that's just weird. Being a journalist doesn't magically make you important, or mean that your posts will be worthy of greater consideration, yet that's what you're setting people up for when you make verification into a big ordeal like this, and it's the reason why Twitter would unverify people for e.g. having an opinion too far outside the Overton window. And using in-platform metrics to determine eligibility seems reasonable anyways... If you have like 10 followers, your verification status is utterly meaningless anyways.

I think if they want to solve the problem for journalists they should've verified the organizations and then made this separate from verifying individuals. Then accounts under that domain could just have some sort of special badge. This especially makes sense because otherwise you could literally just have your personal account become verified by having a couple month stint at the NYT or something, which is non-sensical.

by jchw

4/22/2025 at 10:12:04 PM

> Trust doesn’t come only from the top down [...] So, we’re also enabling trusted verifiers: organizations that can directly issue blue checks.

Is this not still a top-down system, just with one level of indirection?

Something not-top-down might look more like the web-of-trust model.

by jamesfisher

4/21/2025 at 5:25:06 PM

Bluesky remains the single best example of how decentralization works best as components of the architecture, not its raison d'etre.

by mpalmer

4/21/2025 at 7:27:17 PM

No, it's the best example of how after you take a bunch of VC money you won't ever give up an iota of control or ability to rugpull, no matter what the original purpose of your organization was.

by pessimizer

4/21/2025 at 7:47:30 PM

True to your name if nothing else.

Bewildering to me that seemingly any move in the right direction for social media is criticized with even more venom. How exhausting it must be to be stuck in such a frame of mind.

Showing users that these ideas work is a win, it doesn't matter what Bluesky does in the future.

by mpalmer

4/21/2025 at 7:57:36 PM

I'm glad BlueSky is trying to innovate in this space but there is reason to be pessimistic. Eventually VCs want a return on investment and Bluesky doesn't actually make money as far as I know.

by 9283409232

4/22/2025 at 5:25:13 AM

We had this idea to use a page rank based algorithm to compute a influence score based on the score of the people who follow you.

A high score usually indicates a trusted account. Check it out here: https://bluefacts.app/top

by uwemaurer

4/21/2025 at 6:59:39 PM

Bluesky is riddled with pornography, even with the strictest settings enabled. I genuinely don’t feel comfortable scrolling any of the curated feeds in a public place except for my direct “Following” only feed.

Not sure how big of a priority this is for the team that runs it, but I would probably use it 20x more if it was ran competently.

by thunkingdeep

4/21/2025 at 7:08:45 PM

That hasn't been my experience with it, and I'm curious as to what usage pattern gets that result other than intentionally following accounts that post pornography. My account that follows and posts tech and general interest stuff gets tech stuff and politics in its discover feed. My account that posts bird photography and follows photographers gets photographs of animals and landscapes, and politics in its discover feed.

It's politics I can't avoid there, not pornography.

by Zak

4/21/2025 at 10:32:23 PM

Yeah, I can confirm that I have to go out of my way to find anything NSFW on any of my feeds (even while following multiple artists who occasionally post some risqué drawings), whereas politics are unavoidable.

Granted, I'm probably part of the problem, since I do post (and repost) some political stuff every once in awhile, but still.

by yellowapple

4/21/2025 at 7:12:16 PM

I mostly discuss politics. I’ve talked about some technology stuff on there too, but it’s easily 95% politics.

by thunkingdeep

4/21/2025 at 7:33:40 PM

I should also note I have adult content set to allowed and all moderation categories set to warn or show, nothing set to hide. I can't recall seeing any porn at all outside of a couple searches meant to test the moderation settings.

by Zak

4/21/2025 at 7:51:28 PM

If you contextualize this as a form of limiting the power and reach of bots, and you avoid going down the rabbit hole of speech and censorship, then this move is actually a very clever way of scaling that out.

Trust is always going to be a game of cat and mouse, and this seems like just another move.

by jarjoura

4/22/2025 at 10:39:00 AM

I see a lot of resistance against the trusted verifier system and I am curious on why it is any different from CAs

by zero0529

4/21/2025 at 7:10:33 PM

For folks interested in a PKI certificate based approach to solving verification problems:

https://news.ycombinator.com/item?id=40298552#40298804

Delegation similar to bluesky's "NYT org issues certs to journalist" is also possible and done in a far more versatile manner.

If you have a domain and want the ability to issue certs to others, email me...this will just be for experimenting of course :)

by Edmond

4/21/2025 at 5:29:54 PM

<checks Twitter development timeline> Yep, right on schedule.

Fine with this albeit very 'manual'...but not clear if any other choice. I do really like the domain username scheme and if anything this news just draws more attention to that because there's sooo many organizations/news outlets etc not taking advantage.

by ChrisArchitect

4/21/2025 at 10:23:56 PM

The lack of domain-based verification among organizations is indeed bewildering. Surely these orgs have IT departments, right? Even the most junior of help desk techs should be able to figure out how to create a TXT record and paste in the gobbledegook that Bluesky provides to link that to an account.

If these orgs don't have IT departments, then, well, pay me $20 and I'll do it for you.

by yellowapple

4/21/2025 at 9:08:41 PM

Can a country verify it's president?

Can a country I don't like verify it's president that I don't like neither?

Prime minister? Members of the Senate? All citizens? Their own bot farm?

by gus_massa

4/22/2025 at 7:39:48 AM

Can anyone just make their own blue check now?

by NullPointerWin

4/22/2025 at 1:47:14 AM

What’s the value in verification, exactly? Seems like a solution to a problem that doesn’t exist. Do non-idiots really get confused into thinking Jack Dorsey’s account is someone pretending to be Jack Dorsey?

Before Twitter did any sort of verification it was not difficult to determine whether an account claiming to be someone was actually that person for anyone who was actually interested.

I suspect a lot of people have this delusional fantasy where “verification” is going to shape political discourse in their favor.

by thuanao

4/22/2025 at 11:21:04 AM

> Before Twitter did any sort of verification it was not difficult to determine whether an account claiming to be someone was actually that person for anyone who was actually interested.

It was if you were a regular, non-technical user or not terminally on Twitter.

by robertlagrant

4/22/2025 at 5:19:51 AM

I’ll bet you $100 that you have argued with bots before.

by SV_BubbleTime

4/21/2025 at 7:57:55 PM

"yessss FINALLY we have a caste system for professionals who were too stupid to figure out how to use a domain!"

haha

by ChrisArchitect

4/21/2025 at 6:46:18 PM

It could be perfect to have a basic network of trust as feature.

Can't be that hard to have this

by Tireings

4/21/2025 at 6:43:42 PM

Given usernames-as-domains, is there a reason to not just piggyback this on the X.509 web of trust?

After all, we already have an established and highly-monitored set of sibling "trust roots" — we call them Certificate Authorities.

And we already have an identity-validation system coupled onto X.509 FQDN-as-CN (i.e. TLS) certificates — certificate validation levels.

BlueSky could just:

1. require a domain username for verification;

2. require that the domain presents an Organization Validated (OV) cert for verification as a "public individual" (i.e. the kind with a "personal brand" — which usually implies "worth registering as an LLC");

3. require that the domain presents an Extended Validation (EV) cert for verification as a corporation.

...and the whole problem of identity validation becomes outsourced, and federated, and decentralized. (Federated because multiple sibling CAs; decentralized because every computer administrator gets to decide for themselves which CAs their machine should trust.)

---

A rebuttal might be that "EV certs can't be used for this, because EV certs are too expensive, take too long to get, and don't integrate well with automatic per-subdomain DV cert issuance via ACME."

But (IMHO) that's not a problem to be worked around; that's a problem to be fixed. Why leave a broken generalized web-of-trust infrastructure sitting there unused?

If an online casino can KYC/AML you in two minutes with a passport scan and a 3D camera photo, it shouldn't be impossible to do for OV+EV validation what we did for DV validation with ACME. (Ideally in such a way that you can do the interactive process once, receiving not a cert, but some kind of collateral; and then, later on, any ACME server should accept that collateral during an interactive domain ownership probe, to upgrade the DV cert it's issuing you into an OV/EV cert.)

---

The other neat thing about this approach is that, in a "fat" native BlueSky app (i.e. not just an Electron wrapper), the app wouldn't have to trust the BlueSky service to say who's verified. The app could TLS-validate each domain username itself, to compute the appropriate badge for that user — just as a web browser does when you visit a website. And it would presumably use your machine's OS TLS CA store for that validation, just as (some) browsers do.

by derefr

4/21/2025 at 7:01:21 PM

1. Hello it's me your good friend Amazon S3 [1]

2. I've been programming and hosting websites for a decade+ and I would have no idea where to start with any of the things that you propose they "just" require.

3. The OV requirement seems kind of hokey. There's no such thing as "worth registering as an LLC" — anything can be an LLC. You could have an LLC that just holds your dog's assets and call it Internal Revenue Service (LLC), assuming someone else hasn't already grabbed that name in your state, and that would be completely valid.

All of this would make it way too difficult to navigate verification for normal people, and I'm not convinced it would do anything to stop determinated bad actors.

[1]: https://chaos.social/@jonty/110307532009155432

by rafram

4/21/2025 at 7:41:02 PM

> 2. I've been programming and hosting websites for a decade+ and I would have no idea where to start with any of the things that you propose they "just" require.

That's because OV/EV certification are (currently) viewed/remembered mostly as "a bunch of bullshit that nobody sees the point in", and/or "a money-making scheme designed to allow big companies to throw money at the problem of looking 'more secure' than small companies, by showing up with a prettier lock icon/address bar state in web browsers" — ignoring the fundamental value provided by the design of the system, due to the pragmatics and politics of existing and previous (mostly previous) implementations of the design.

A site presenting an EV cert used to look like e.g. this in Firefox: https://upload.wikimedia.org/wikipedia/commons/6/63/Firefox_...

And this in IE/Edge: https://www.thesslstore.com/blog/wp-content/uploads/2010/06/...

Once browsers stopped visually differentiating sites signed by OV/EV certificates from sites signed by DV certificates with the big "green for go" coloration, corporations no longer had any motivation to get EV certificates, so everybody forgot they existed. This happened a decade+ ago.

(And then, in 2019, the last vestige of this distinction was removed, when EV certs stopped making browsers show the identified company name beside the lock icon: https://www.leaderssl.com/news/492-google-and-mozilla-will-s...).

Because of this, nobody today is really familiar with EV certs. But that doesn't mean they're hard or arcane; they're just obscure. And the process for getting one is clunky — but it used to be that the process for getting regular (DV) certs was clunky, too. The EV cert process just hasn't been updated with the times to match the ease of getting a DV cert, because nobody has cared to do so, because there's no demand.

But neither of those things mean that EV certs aren't fundamentally a good way to secure identity in a web of trust. Every code signing certificate is an EV cert, for example. And all cross-signed CA certs are EV certs. EV certs are still there, quietly underpinning much of X.509's security model, in TLS and elsewhere.

And as such, it's silly to recreate the EV validation ecosystem, but worse, for something (identity verification on BlueSky) that is pretty much exactly "the green address bar" use-case all over again — when we could instead just revive the dormant infrastructure that powered things the last time we cared about federated identity verification, and polish it up a bit for use in 2025.

> All of this would make it way too difficult to navigate verification for normal people

If they wanted, BlueSky could match what they're doing today by 1. setting up their own X.509 CA, and then 2. delegating the constrained ability to issue OV+EV certs to users from this CA, to named entities (like the NYT, as mentioned in the announcement.) Then you wouldn't have to do anything; everything could be handled on their end, with a BlueSky-CA-issued OV or EV cert just magically appearing bound to your BlueSky account.

(And they could — but wouldn't have to — get this CA into default trust stores of client devices. The BlueSky webapp backend would have the BlueSky CA explicitly in its trust store; as would any first-party native fat clients. Any third-party native fat clients would need to add the CA cert into the app and configure their HTTP client to use it. X.509 is not one global system; every X.509 root-of-trust creates its own tree-of-trust, which is only a web-of-trust insofar as multiple roots-of-trust can [but don't have to] cross-sign things.)

The point here is just that with X.509, big entities who BlueSky is unwilling to delegate identity-verification authority to, or who don't trust BlueSky — or, as BlueSky themselves say, the existing userbase at the point where BlueSky itself becomes adversarial to them — can step outside of this de-facto centralized trust model, by instead getting an different X.509 CA of choice to issue EV certs for any entities they want identity-verified; and then uploading (or in the case of a native app, installing) these certs to bind them to their BlueSky accounts.

In a bigcorp MDM domain, your EV cert allowing you to speak as @bigcorp_pr or whatever, would just get MDM-installed onto your device and you'd never even think about it. You'd just know that you actually can't log into that BlueSky account on any non-company device, despite knowing the password to the account, because no other device has the cert installed.

> and I'm not convinced it would do anything to stop determinated bad actors.

It does as much and as little as what BlueSky's announced approach — have human moderators check identity verifications using their common sense — does.

That's all EV validation is, in the end: collecting a bunch of information and then having a human look at it and say "yeah, this is really who should be getting certified to say they own this domain" or "no, this seems to be some kind of domain hijacking attempt." (Or even "this domain seems created to typosquat a popular brand, so I'm not granting the cert, even if the person really does own the domain." Denying typosquatters EV certificates is/was an explicit feature of most CAs' EV processes — although the term "typosquatting" hadn't been coined yet, so it was referred to as "trademark protection" or somesuch.)

The only difference, in leaning on X.509 infrastructure to do this, would be that you wouldn't have to rely on "BlueSky moderators" as your only group of people willing to put their reputations on the line to assert "yeah, this is who they say they are; they're really in charge of this business; and this business is a real thing—the one you'd think of when you see the name." You can go out and ask any company specialized in "having a reputation for making identity-validation assertions that everyone trusts" (i.e. an X.509 CA) to do it for you.

by derefr

4/21/2025 at 6:51:38 PM

BlueSky users are already kind of doing this. Members of the US House and Senate tend to use their .house.gov/.senate.gov domains as usernames, which is a very trustworthy signal that the account is legitimate.

by giaour

4/22/2025 at 3:36:22 PM

Kinda like Lobster.rs

Not a good look.

by egberts1

4/21/2025 at 6:36:28 PM

They can justify it however they want to all day long, but we've got enough real-world examples of verification to show that its core use isn't about protecting users, but about authorizing acceptable speech on a platform and protecting advertisers.

Domain verification was genuinely all the verification needed. This checkmark system is just a copy-paste troublemaker from Twitter, and we all saw how well that turned out whenever a celebrity or billionaire's account got hacked to shill grifto schemes. Training users to only look for a symbol just desensitizes them to the complexities of identity and sanctioned speech.

by stego-tech

4/21/2025 at 7:29:18 PM

> Training users to only look for a symbol just desensitizes them to the complexities of identity and sanctioned speech.

This is what their users are looking for. They don't want complexity, they want to know who they're supposed to listen to.

by pessimizer

4/24/2025 at 4:42:10 AM

I don't know why HN is down voting you; you're right.

That said, your gray-status is exactly why I long since stopped pointing out that's what people want, and instead shifted my argument towards educating readers why that's bad. The dearth of informed electorates is a crisis plaguing humanity as a whole, and we sorely need to start shining a light on the practices that create this harm ("answer engines") rather than shaming users that engage with those traps alone.

by stego-tech

4/22/2025 at 12:40:34 AM

[dead]

by uriegas