⚠️ Disclaimer: I am not a cybersecurity professional. If something in this post seems incorrect, it might genuinely just be wrong lmao
I wrote a short explainer on why atproto handles use a mechanism called Bidirectional Resolution so users can use human-friendly handles instead of DID strings. So surely, that means if someone can use Bidirectional Resolution to claim a handle, then it proves that they own that handle, right?
If so, you just affirmed the consequent‼️😹🫵 (aka the logical fallacy of the converse). Just because you can prove that you are using a handle doesn't necessarily mean that the handle is owned by you! In other words, your ability to resolve your handle bidirectionally doesn't imply that other people cannot resolve your same handle bidirectionally too.
Quick recap: bidirectional resolution works like this:
1. DNS record points at a DID (which is basically an ID for a user repository)
2. The user repository points at the same DNS record.
Because the DNS record (the handle) and the user repo (DID) are pointing at each other, this proves that these two things in this situation are cooperating, and so it serves to prove that this user repository in particular wants to be represented by this handle.
However, this by itself isn't enough to prove that this user repository owns the handle. Consider the following:
Alice is a Bluesky user using the handle @alice.example.com
Alice correctly resolves her handle and DID bidirectionally (using a public DNS record and correct user repository settings)
An adversary (let's call her Eve) has control over a public DNS server that many people use
Eve has her own user repository in her own PDS that she hosts herself
In this scenario, can Eve use the handle @alice.example.com for her own DID that also resolves bidirectionally? Eve can just create a DNS TXT record in her public DNS server for _atproto.alice.example.com and have it point to Eve's user repository in her own PDS, and set her user repository to use @alice.example.com as Eve's handle for that repo. So yes, it's possible!
What went wrong here? The reason why this is possible is because bidirectional resolution only proves that the DNS record and the PDS are working together. In particular, bidirectional resolution does NOT prove that this collaborative party owns any particular domain.
In practice, this is usually good enough. Trusted DNS servers are trusted because they don't create DNS records for domains they don't own. But DNS poisoning is a relatively common practice. Usually, if DNS poisoning occurs, you can tell because you're accessing a website protected with HTTPS, and HTTPS certificates are signatures tied to a domain with a chain of trust. (Spoofing this certificate isn't really possible without significantly changing our current threat model.) But DNS records are not signed, so it's pretty hard to tell when a DNS record is spoofed without an out-of-band signing mechanism like HTTPS. So although impersonating someone's handle in atproto is not trivial, for a dedicated enough party that really wants to pretend to be a particular handle, it's anything but secure.