Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Proven – An alternative to Twitter's verified accounts, with HN support (github.com)
334 points by dschep 9 months ago | hide | past | web | favorite | 75 comments

Some suggestions:

1. Add rel="noreferrer" to the links you inject.

2. I don't think nested anchors are valid HTML. Try injecting your links after the username link, not inside it. And the underline between each icon on hover (in Firefox on HN pages at least) looks horrible.

3. All those icons look messy. Why not collapse into a single keybase icon which maybe opens a tooltip with more details when you click on it?

Can I suggest rel="noreferrer noopener"?


rel="noreferrer" also implies noopener.


I've already pushed 2.2 in which I did exactly that :)

1. definitely! thanks for the pointer

2. yeah. I should do that.

3. Yup. Already on my roadmap, just makes things a bit more complicated.

Edit: 1 & 2 done in v2.2

> https://raw.githubusercontent.com/dschep/proven/master/scree...

You probably want these icons at 50% opacity to match existing styling of the block.

Also, as others have noted, it makes the page look overly busy with secondary items, so they are probably best kept hidden by default, shown on hover and fronted by a single (smaller) icon, like a checkmark. That is, you hover over the checkmark - you see it expand into the list of icons.

Or better, an indication of the number of verifications via the single icon, with hover to show exactly which verifications they are

Hah. Already did that in version v2.2 :)

Nice job with the icons, but I'm seconding replacing all those icons with a single keybase icon and an on-hover / on-click popup. It really does get busy; my username has 8 extra icons next to it.

I'd still love if those icons/links were actually hidden in a popup and not removed altogether - they serve a nice discovery purpose for peoples' Github / FB / Twitter accounts and personal websites (inb4 privacy - this is already public info for HN users if you put a keybase proof in your profile, just usually requires extra two clicks to get to).

EDIT: just installed on mobile. Works great, but the clutter introduced by the icons is extra pronounced on the phone.

Update to v2.3.1 and there's an option to show only the keybase badge :)

A popup will happen eventually, but that'll take a bit more development effort.

Awesome! And again, thanks for this project. It's great, and exposes a somewhat hidden aspect of this community - a slow Keybase infiltration :). I haven't seen any other project requiring you to put something in your HN profile that would get so much traction.

I'd recommend limiting it to two by default: the keybase icon, and the site icon.

The site icon is redundant though. Keybase wouldn't appear if they weren't verified on the site. If you meant "website icon" then that doesn't resolve the "mess" for people with multiple site proofs - I already have two and might be getting a third one soon. I know a few people who have four or five.

The as-a-dropdown-from-Keybase is probably the best solution.

It looks like the manifest specifies permissions for https://keybase.io/_/api/1.0/*; you may want to make it a bit more general because if you ever need to bump the API version, Chrome will (sensibly) disable your extension until the users has accepted the new permissions.

Which is arguably a good security practice, reminding the user once in a while what permission they've granted.

That highly limited permission actually makes me more likely to install this.

Yeah, I agree it's definitely a good security practice of Chrome. On the developer side of this, though, it definitely can lose you a lot of users pretty quickly if you add new permissions at any point, so I think it's important to carefully consider permissions before launching an extension.

For my Chrome extension[1], a change[2] in the Airbnb URLs that it runs on caused a significant spike in uninstalls[3] just because it probably scared people a bit. Not a huge deal or anything. Just wanted to share my experience with this stuff.

[1] https://chrome.google.com/webstore/detail/airbnb-price-per-n...

[2] https://github.com/davidsawyer/airbnb-price-per-night-correc...

[3] https://i.imgur.com/JBBolM1.png

Interesting. I'll probably add some form of github and/or reddit support in the future, and I don't feel comfortable adding those URLs unnecessarily, so at somepoint there will be permissions updates anyway ¯\_(ツ)_/¯

Being able to display a custom message along the permission update request would be great, just like how GitHub does it for apps.

Requesting additional permissions without an explanation accompanying it can cause confusion, users may think that the request is unwarranted, or that there is something wrong with the extension. They may also decline it out of habit, given how extensions are auto-updated during the browser session, and the request seemingly pops out of nowhere.

See the version adoption[0] for one of my extensions, 1.1.0 has requested additional permissions. This may be problematic when you are trying to deliver a critical update that requires new permissions.

[0] https://i.imgur.com/hiKLyYT.png

I think chrome has an API for requesting permissions, instead of having them part of the extensions manifest. This means you can present custom prompts and such before the chrome prompt.

Yeah, I think that's the right way to do it. You don't really want to add entire domains that your extension does nothing with yet. Though in hindsight, I should have just found all the Airbnb subdomains, TLDs, etc. up front because my extension was intended to be used throughout all of Airbnb, if that makes sense.

I wanted a more pseudo-anonymous form of this, which is why the message board I built is invite only (still pretty new). I think if you prune bad inviters, you can build a really high quality user base that is still mostly anonymous (depending on their username).

Still very early stages, https://filigree.app if you'd like to check it out. Invite code kris-75c23bae7837 if you want to register.

Edit: quite a few people registered, so I'm deactivating that invite code.

What about Keybase is not pseudo-anonymous? I've remained pseudonymous just fine.

Sorry if I wasn't clear, I think it can be fairly anonymous if you're careful. Keybase requires an email to register, which can of course be made anonymous but it's still a small hurdle.

Urbit has an identity hierarchy too, though I don't think they've implemented the related banning systems of getting rid of the bad 'inviters' along with their children invitees when too many people from that part of the network aren't good. You might find more inspiration from their system, in particular the scarcity aspects.

Hello. Would you happen to have another invite code that can be used? I just came across this and would love to register/check out what you have. Thanks.

Bah! I wanted the invite code.

Here ya go: kris-ffdd9e150679

I wasn't aware of keybase before seeing this. I really like this extension and keybase. Now I'm curious as to how difficult it might be to get my work to switch from slack.

It isn't quite slack ready yet, but its steadily getting there. I love keybase for my personal needs, and share a team folder with my S.O :)

The badges for dschep are not displayed on HN's homepage while petethomas' are. They are displayed correctly on the comments page and dschep's profile.

Edit: The issue is intermittent and it seems to be about displaying badges after the first user on every page; the first user will have their badges displayed correctly while the rest mostly won't.

I just published v2.1 which fixes the issue! You'll be able to update once Google & Mozilla push/approve the new version.

edit: damnit. now it's duplicating badges. That's what i get for trying to rush a fix.

It's working fine now and doesn't seem to be duplicating badges. Thanks.

yup. just realized this was because I had my dev version & the store version installed on my firefox.

I'm seeing the same thing (Firefox).

Apart from that this is a great little extension. I especially like that it only asks for access to the sites it's known to work with, rather than blanket access.

The only thing preventing me from using this is it makes UI's very cluttered, especially in scenarios with a lot of verified users. I only care about the Keybase verification as from there I can check for the rest. Hovering Keybase would provide an interface to show the rest. I see there's an issue to change the UI so I look forward to that - so I guess I'll wait.

E: It's very cluttered in this thread, for example [0]. Also, in Chrome, a users' verified websites don't appear - they do in Firefox.

[0] https://vgy.me/o3NVtf.png

I've already pushed v2.1 which should address the issues you have in chrome, but google is slow to publish new versions to the store.

And yeah, I do want to get around to making it less cluttery in the interface, but that'll take more work.

Edit: v2.1 is live on the Chrome web store.

Since the biggest complaint has been about clutter, I've added an option to show only the keybase badge. Update to v2.3.1 once Chrome Web Store & Firefox Add-ons updates are pushed/approved!

Hah, I like it! Thanks for doing that!

Now, I wonder how Keybase decides which services to allow verification through, and if they plan to expand the list further. I've already verified everything except cryptocurrency stuff, and there are couple more things I'd love to (like Mastodon).

Technically, you can prove any service by posting a signed proof on it, but keybase won't be aware of it, so it's not very useful.

Unless you're famous or trying to be, why would you want to prove to everyone who you are?

Social proofs will become more valuable (imho) as we move toward a Web3.0 hybrid identity model where the identity layer, data layer, and application layer are seperate and we have taken ownership of our personal data. Keybase, Blockstack and others working on the Web of Trust concept, are establishing the means for us to prove ownership of our social media accounts by cross posting uniquely identified tokenized messages which link back to provable account owners. This is one way towards solving "fake news", and introduced attribution and attestation across multiple identities. The more accounts you've linked and proved, the more trustworthy your communications through those channels.

I know someone with this scenario: they pissed off someone years back, and that someone made a twitter account pretending to be them, which despite lack of activity in years still ranks on the first page when searching their full name. Twitter does nothing about it. Friend doesn't even use Twitter, has an account that's "private" but not really anything in it. Solvable longer term with SEO/twitter participation but it's not ideal. Sometimes you just want to make clear that someone pretending to be you is not you, and if social media and search companies can take that into account, all the better.

Something like this happened to me. I couldn't think of anything else to do, and didn't have much on my resume at the time, so I changed my name to something common enough that there's hardly any chance Google will find me.

That's an anti-solution, tho.

Yeah, it sucks. But I don't know if a solution is possible.

This is one of the reasons I go through efforts of having social media accounts.

If you dont define your own social branding you leave yourself a backdoor to trolls.

I don't care to prove to anyone who I am (hence pseudonymous) - however I do care to prove what I say. Being able to prove I am who I say I am allows me to also prove what I say is what I say. I'm not particularly famous - but in a few social circles I have authority. Enough authority that it is important that people are able to verify within good measure if it was really me who said something or not.

It's the other side of the equation that is more important to me. I want to know if someone who is claiming to be a well known person is actually that person. If someone comes in here and claims to be the inventor of redis, I want to know that they actually are.

One use case I can think of: someone claims to be the author of a well known library. With their github account proven, that's pretty easy to establish.

This is fantastic, just installed on Firefox and it's really helpful.

Just one feedback, if you can add a setting to increase the space between icons this would be very useful.

Yeah, +1 this is a verified I could get behind.

This is wonderful!

One thing: It looks like it shows the DNS badges on Twitter but not HN.

It looks like v2.1 has fixed that.

Also, +1 this is awesome.

@dang if you are here: HN should do this natively!

Having the Keybase link/proof in profile lets you prove identity without changing the site. It's worked fine so far. It's also how I found out about Keybase.

This is awesome - I was actually in the middle of building something similar (but not using Keybase for verification... that would have been so much better than rolling my own).

I think this is a better solution.

I have no idea how hard it is to build an extension for Safari, so I don't know if this is a huge request or a simple request, but: Will you have it available on Safari?

(Alternatively, anyone have a good guide on building my own safari extensions from a Firefox/Chrome extension? My two minutes of Googling yielded nothing useful.)

I don't know. Does it use the web extension "standard"? If so, it' shouldn't be difficult, I just don't have the equipment to test that.

Pretty sure safari extensions need to be native at this point... They are apps through the mac app store, if I remember correctly.

They can be distributed through the App Store, but they don't have to be.


I guess it removes an extra step, but is it all that useful to have every icon appear everywhere?

For instance, instead of having the Facebook icon appear by a user's Twitter name, couldn't a single icon show they're Proven for Twitter and link to their Keybase where I can see all their Proven identities, including Facebook?

[Twitter account] being proven by [Twitter account] kinda defeats the point. You'd want, at a glance, to be able to tell that this account has been linked and proven to belong to all of these other accounts, on these other independent websites.

I see other users keybase icons on their twitter feeds, but if I look at my own I don't see the icons at all. Is that intentional?

Huh. That's interesting. I don't see any on your profile either. I've added a bug to figure that. outhttps://github.com/dschep/proven/issues/21

I use it and I like it.

Oooh this is awesome!

Sweet! Keybase seems pretty cool.

But how do we know it is actually powered by Keybase. I dont even know what is a dschep.

But I guess you got to start somewhere.

Just click the Keybase link next to the username, and you can verify each of the connections yourself.

> Just click the Keybase link next to the username, and you can verify each of the connections yourself.

Ah. I thought the logo itself meant its verified (like on twitter).

This and what the author said basically.

What pcmonk said. And:

* I'm a dschep, sorry I don't work at keybase

* it's open source

* extensions are easy to unpack & view the source if you don't trust I'm not tampering the extension before upload

* I do no obfuscation of the JS, it's only 201 LOC

> * extensions are easy to unpack & view the source if you don't trust I'm not tampering the extension before upload

Surprised browsers plugin centers (stores?) don't let you just put your github repository and build your extension depending on a given branch (or tags) and then informs the user that the extension was directly pulled from GitHub or other version control sources (and provides a direct link) it would be a little more interesting.

That'd be neat. Like docker hub supports and f-droid requires(IIRC)!

That would mean they get published without any checks - an easy attack vector for malware.

If pull requests are auto accepted sure? But that shouldn't normally be the case.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact