HN
Today

Who Owns Your ATProto Identity? Hint: It's Probably Not You

This post reveals a critical flaw in ATProto's identity management, demonstrating that Personal Data Server (PDS) operators wield surprisingly complete control over user identities. It argues that PDS operators can impersonate users across all ATProto applications or terminate their entire digital identity, creating a centralization of trust that contradicts the protocol's decentralized ambitions. The author details how this security vulnerability, while convenient for users, makes the entire system brittle and challenges the fundamental assumptions many hold about their digital ownership on ATProto platforms like Bluesky.

9
Score
1
Comments
#2
Highest Rank
4h
on Front Page
First Seen
Jun 21, 2:00 PM
Last Seen
Jun 21, 5:00 PM
Rank Over Time
3236

The Lowdown

The article "Who Owns Your ATProto Identity? Hint: It's Probably Not You" critically examines the ownership and control mechanisms within the ATProto protocol, particularly focusing on the role of Personal Data Servers (PDS). It uncovers a profound centralization of power within these PDS operators, challenging the perceived decentralization of the system by revealing how PDS operators hold ultimate control over a user's digital identity.

  • PDS Controls Your Identity: Your PDS holds both your signing key (for creating posts, likes, and follows) and your rotation key (for changing signing keys or PDS providers), effectively granting it full ownership of your Decentralized Identifier (DID).
  • Total Impersonation Capability: PDS operators can cryptographically impersonate users across all ATProto applications (e.g., Bluesky, Tangled, Grain, Leaflet), making any malicious activity indistinguishable from legitimate user actions.
  • Ecosystem-Wide Ban Risk: An operator can terminate a user's entire ATProto identity, effectively locking them out of all applications and services linked to that identity across the entire ecosystem, not just a single platform.
  • Significant Security Vulnerability: Compromise of a single PDS grants attackers the ability to impersonate all users hosted on it across the entire ATProto ecosystem, posing severe risks including supply chain attacks for developers.
  • Trade-off: Convenience vs. Sovereignty: The system prioritizes user convenience by abstracting complex key management, but this comes at the cost of genuine user sovereignty, resting critical trust solely on PDS operators.
  • Proposed Solutions: The author suggests making self-controlled rotation keys the default during account creation, integrating them into client applications, and improving documentation to clearly explain the implications of PDS key control to users.

Ultimately, the article argues that despite ATProto's architectural decentralization, its current key management design concentrates immense power in PDS operators, creating a system that demands a level of trust often associated with centralized platforms, potentially exposing users to significant risks.