How to avoid identity theft on Chat messages


We managed to create a chat communicator on our pods using solid-auth-client library.
We send, receive, delete messages from my friends’s pod using auth.fetch.
We realised that we are able to send each other messages with whoever sender identity(WebId) we want.

Is there a way of verify the sender’s WebId is the actual sender’s WebId?

There is an issue about it in the chat-pane repository:

Regarding this, you could do it with public key cryptography. The sender signs the (hash of the) message with a private key, the receiver verifies it with a public key found in the repository of the sender. However I don’t think this will be the way to go

It never gets easier…I will check it out.
@A_A, thanks for the answer. What do you think it is the way forward…I am under the impression people talk a lot about Matrix, I still do not know why. Any other protocols in mind?

I’ve meant that public key cryptography would not be an ideal solution to it. I’m quite confident that it would work for verification. The drawbacks I would see is that (1) you can only verify it if the sender and the receiver both implement this public key encryption. And (2) you need at least one http request to get the public key of the sender for verification (which probably makes it more slow, not sure how big the impact would be), even if optimally implemented with caching and co.

Personally I guess the solutions proposed in the issue would yield a better user experience, but I haven’t thought much about this topic.

Honestly I have my doubts that Solid will become a main messaging platform. I could imagine it replacing email, but I personally doubt it could become par with Matrix regarding features and performance. But I honestly didn’t think much about it and it’s not my priority to look into it

1 Like