
Show HN: Proven – An alternative to Twitter's verified accounts, with HN support - dschep
https://github.com/dschep/proven
======
mike-cardwell
Some suggestions:

1\. Add rel="noreferrer" to the links you inject.

2\. I don't think nested anchors are valid HTML. Try injecting your links
after the username link, not inside it. And the underline between each icon on
hover (in Firefox on HN pages at least) looks horrible.

3\. All those icons look messy. Why not collapse into a single keybase icon
which maybe opens a tooltip with more details when you click on it?

~~~
CiPHPerCoder
Can I suggest rel="noreferrer noopener"?

[https://www.jitbit.com/alexblog/256-targetblank---the-
most-u...](https://www.jitbit.com/alexblog/256-targetblank---the-most-
underestimated-vulnerability-ever/)

~~~
dessant
rel="noreferrer" also implies noopener.

[https://www.w3.org/TR/html5/links.html#link-type-
noreferrer](https://www.w3.org/TR/html5/links.html#link-type-noreferrer)

------
huhtenberg
>
> [https://raw.githubusercontent.com/dschep/proven/master/scree...](https://raw.githubusercontent.com/dschep/proven/master/screenshots/screenshot4.png)

You probably want these icons at 50% opacity to match existing styling of the
block.

Also, as others have noted, it makes the page look overly busy with secondary
items, so they are probably best kept hidden by default, shown on hover and
fronted by a single (smaller) icon, like a checkmark. That is, you hover over
the checkmark - you see it expand into the list of icons.

~~~
j2kun
Or better, an indication of the number of verifications via the single icon,
with hover to show exactly which verifications they are

------
ievans
It looks like the manifest specifies permissions for
[https://keybase.io/_/api/1.0/*;](https://keybase.io/_/api/1.0/*;) you may
want to make it a bit more general because if you ever need to bump the API
version, Chrome will (sensibly) disable your extension until the users has
accepted the new permissions.

~~~
jedberg
Which is arguably a good security practice, reminding the user once in a while
what permission they've granted.

That highly limited permission actually makes me more likely to install this.

~~~
davidsawyer
Yeah, I agree it's definitely a good security practice of Chrome. On the
developer side of this, though, it definitely can lose you a lot of users
pretty quickly if you add new permissions at any point, so I think it's
important to carefully consider permissions before launching an extension.

For my Chrome extension[1], a change[2] in the Airbnb URLs that it runs on
caused a significant spike in uninstalls[3] just because it probably scared
people a bit. Not a huge deal or anything. Just wanted to share my experience
with this stuff.

[1] [https://chrome.google.com/webstore/detail/airbnb-price-
per-n...](https://chrome.google.com/webstore/detail/airbnb-price-per-night-
co/lijeilcglmadpkbengpkfnkpmcehecfe)

[2] [https://github.com/davidsawyer/airbnb-price-per-night-
correc...](https://github.com/davidsawyer/airbnb-price-per-night-
correcter/commit/732d84ac1ba0b1608cecd10d3a3bf9af6f374308)

[3] [https://i.imgur.com/JBBolM1.png](https://i.imgur.com/JBBolM1.png)

~~~
dschep
Interesting. I'll probably add some form of github and/or reddit support in
the future, and I don't feel comfortable adding those URLs unnecessarily, so
at somepoint there will be permissions updates anyway ¯\\_(ツ)_/¯

~~~
dessant
Being able to display a custom message along the permission update request
would be great, just like how GitHub does it for apps.

Requesting additional permissions without an explanation accompanying it can
cause confusion, users may think that the request is unwarranted, or that
there is something wrong with the extension. They may also decline it out of
habit, given how extensions are auto-updated during the browser session, and
the request seemingly pops out of nowhere.

See the version adoption[0] for one of my extensions, 1.1.0 has requested
additional permissions. This may be problematic when you are trying to deliver
a critical update that requires new permissions.

[0] [https://i.imgur.com/hiKLyYT.png](https://i.imgur.com/hiKLyYT.png)

~~~
foota
I think chrome has an API for requesting permissions, instead of having them
part of the extensions manifest. This means you can present custom prompts and
such before the chrome prompt.

------
kris-s
I wanted a more pseudo-anonymous form of this, which is why the message board
I built is invite only (still pretty new). I think if you prune bad inviters,
you can build a really high quality user base that is still mostly anonymous
(depending on their username).

Still very early stages, [https://filigree.app](https://filigree.app) if you'd
like to check it out. Invite code kris-75c23bae7837 if you want to register.

Edit: quite a few people registered, so I'm deactivating that invite code.

~~~
Nadya
What about Keybase is not pseudo-anonymous? I've remained pseudonymous just
fine.

~~~
kris-s
Sorry if I wasn't clear, I think it can be fairly anonymous if you're careful.
Keybase requires an email to register, which can of course be made anonymous
but it's still a small hurdle.

------
xyclos
I wasn't aware of keybase before seeing this. I really like this extension and
keybase. Now I'm curious as to how difficult it might be to get my work to
switch from slack.

~~~
russdpale
It isn't quite slack ready yet, but its steadily getting there. I love keybase
for my personal needs, and share a team folder with my S.O :)

------
doguozkan
The badges for dschep are not displayed on HN's homepage while petethomas'
are. They are displayed correctly on the comments page and dschep's profile.

Edit: The issue is intermittent and it seems to be about displaying badges
after the first user on every page; the first user will have their badges
displayed correctly while the rest mostly won't.

~~~
dschep
I just published v2.1 which fixes the issue! You'll be able to update once
Google & Mozilla push/approve the new version.

edit: damnit. now it's duplicating badges. That's what i get for trying to
rush a fix.

~~~
doguozkan
It's working fine now and doesn't seem to be duplicating badges. Thanks.

~~~
dschep
yup. just realized this was because I had my dev version & the store version
installed on my firefox.

------
Nadya
The only thing preventing me from using this is it makes UI's very cluttered,
especially in scenarios with a lot of verified users. I only care about the
Keybase verification as from there I can check for the rest. Hovering Keybase
would provide an interface to show the rest. I see there's an issue to change
the UI so I look forward to that - so I guess I'll wait.

E: It's very cluttered in this thread, for example [0]. Also, in Chrome, a
users' verified websites don't appear - they do in Firefox.

[0] [https://vgy.me/o3NVtf.png](https://vgy.me/o3NVtf.png)

~~~
dschep
I've already pushed v2.1 which should address the issues you have in chrome,
but google is slow to publish new versions to the store.

And yeah, I do want to get around to making it less cluttery in the interface,
but that'll take more work.

Edit: v2.1 is live on the Chrome web store.

------
dschep
Since the biggest complaint has been about clutter, I've added an option to
show only the keybase badge. Update to v2.3.1 once Chrome Web Store & Firefox
Add-ons updates are pushed/approved!

------
TeMPOraL
Hah, I like it! Thanks for doing that!

Now, I wonder how Keybase decides which services to allow verification
through, and if they plan to expand the list further. I've already verified
everything except cryptocurrency stuff, and there are couple more things I'd
love to (like Mastodon).

~~~
dschep
Technically, you can prove any service by posting a signed proof on it, but
keybase won't be aware of it, so it's not very useful.

------
mscasts
Unless you're famous or trying to be, why would you want to prove to everyone
who you are?

~~~
Jach
I know someone with this scenario: they pissed off someone years back, and
that someone made a twitter account pretending to be them, which despite lack
of activity in years still ranks on the first page when searching their full
name. Twitter does nothing about it. Friend doesn't even use Twitter, has an
account that's "private" but not really anything in it. Solvable longer term
with SEO/twitter participation but it's not ideal. Sometimes you just want to
make clear that someone pretending to be you is not you, and if social media
and search companies can take that into account, all the better.

~~~
80386
Something like this happened to me. I couldn't think of anything else to do,
and didn't have much on my resume at the time, so I changed my name to
something common enough that there's hardly any chance Google will find me.

~~~
no_identd
That's an anti-solution, tho.

~~~
80386
Yeah, it sucks. But I don't know if a solution is possible.

------
Oras
This is fantastic, just installed on Firefox and it's really helpful.

Just one feedback, if you can add a setting to increase the space between
icons this would be very useful.

------
orta
Yeah, +1 this is a verified I could get behind.

------
pcmonk
This is wonderful!

One thing: It looks like it shows the DNS badges on Twitter but not HN.

~~~
timtadh
It looks like v2.1 has fixed that.

Also, +1 this is awesome.

@dang if you are here: HN should do this natively!

~~~
nickpsecurity
Having the Keybase link/proof in profile lets you prove identity without
changing the site. It's worked fine so far. It's also how I found out about
Keybase.

------
vivan
This is awesome - I was actually in the middle of building something similar
(but not using Keybase for verification... that would have been so much better
than rolling my own).

I think this is a better solution.

------
jedberg
I have no idea how hard it is to build an extension for Safari, so I don't
know if this is a huge request or a simple request, but: Will you have it
available on Safari?

(Alternatively, anyone have a good guide on building my own safari extensions
from a Firefox/Chrome extension? My two minutes of Googling yielded nothing
useful.)

~~~
dschep
I don't know. Does it use the web extension "standard"? If so, it' shouldn't
be difficult, I just don't have the equipment to test that.

~~~
zchrykng
Pretty sure safari extensions need to be native at this point... They are apps
through the mac app store, if I remember correctly.

~~~
Volt
They _can_ be distributed through the App Store, but they don't have to be.

[https://safari-extensions.apple.com](https://safari-extensions.apple.com)

------
mbowcutt
I guess it removes an extra step, but is it all that useful to have every icon
appear everywhere?

For instance, instead of having the Facebook icon appear by a user's Twitter
name, couldn't a single icon show they're Proven for Twitter and link to their
Keybase where I can see all their Proven identities, including Facebook?

~~~
s3m4j
[Twitter account] being proven by [Twitter account] kinda defeats the point.
You'd want, at a glance, to be able to tell that this account has been linked
and proven to belong to all of these other accounts, on these other
independent websites.

------
jonnu
I see other users keybase icons on their twitter feeds, but if I look at my
own I don't see the icons at all. Is that intentional?

~~~
dschep
Huh. That's interesting. I don't see any on your profile either. I've added a
bug to figure that.
out[https://github.com/dschep/proven/issues/21](https://github.com/dschep/proven/issues/21)

------
nutate
I use it and I like it.

------
mattcaldwell
Oooh this is awesome!

~~~
aguynamedben
Sweet! Keybase seems pretty cool.

------
mkagenius
But how do we know it is actually powered by Keybase. I dont even know what is
a dschep.

But I guess you got to start somewhere.

~~~
pcmonk
Just click the Keybase link next to the username, and you can verify each of
the connections yourself.

~~~
mkagenius
> Just click the Keybase link next to the username, and you can verify each of
> the connections yourself.

Ah. I thought the logo itself meant its verified (like on twitter).

