whiteboard_Screenshot

Verified tweets using DIDs

In the wake of the recent Twitter hack Charles Hoskinson released a whiteboard video in which he explains how DIDs and blockchain can help to avoid such hacks in the future.

While more and more people see the potential of blockchain technology, most are still waiting for that one dApp that will bring mainstream adoption. In order to achieve this goal that dApp must, in my opinion, make use of the added value of blockchain without its users knowing they are actually using the blockchain. Ease-of-use is a fundamental part of every successful application.

With 330 million monthly active users, Twitter for sure has the potential to become that (d)App. If, and only if, blockchain can bring some real added value without changing Twitter’s user experience too much.

Let’s see what Charles had to say about all of this.

Twitter has some problems

  • authentication
  • verification

This allows hackers or other bad actors to impersonate high profile users (e.g @BarackObama and @elonmusk) and cause all kind of problems.

Just imagine what could happen if the account of the CEO of a Fortune 500 company was hacked, tweeting he would step down immediately and admits he abused several women over the last years. Stock price would probably tank immeditely, triggering the hacker to load up. By the time it becomes apparent it was only fake news all the bad actor needs to do is wait for stock price to recover and sell his profits.

Prerequisites for a solution

  • don't change much / don't make radical changes (UX / UI)
  • keep it simple and easy to understand
  • build on solid foundations
  • it must be secure
  • keep the current business model
  • it should be cheap and easy to maintain

The solution

Signatures

First we need a signature, for this situation public key cryptography is preferred. This type of cryptography requires both a public key and a private key.

You can sign your message with your private key after which anybody can verify whether the signed message is real using your public key.

Decentralized identifiers

By making use of DIDs, we now have a tool to handle identity online by making use of public & private keys.

A DID consists of two parts:

  1. the DID ID which is a unique identifier containing letters and numbers (e.g 752Ax32)
  2. the DID document contains a structured set of information about the DID which can include your public key

The verified tweet

The technology above allows us to sign our tweets with our private key.

A “Twitterless” layer of security

During the latest hack Twitter itself was hacked rather than individual profiles.

How can we implement a solution that adds an extra layer of security without requiring much from Twitter itself?

  1. To able to somehow register and verify a DID during account creation (or update of your profile)
  2. This request goes to a whitelisted ID verifier (e.g Verisign, a government, …)

Somehow register and verify a DID during account creation or while updating your existing Twitter profile

Step 1
Step 2

This request is forwarded to a whitelisted ID verifier (e.g Verisign, a government, ...). They inspect at the DID document and all supporting evidence and if everything checks out they sign it with their key.

The signed DID goes back to Twitter where it will be signed once more, after they make sure it meets all of their standards.

Step 3
Step 4

The DID, which now has been signed both by the ID verifier and Twitter will now be embedded in a blockchain (e.g. Cardano).

This gives you following properties:

  1. timestamping (ordering of events)
  2. autitability (anybody can verify fit)
  3. immutability (nobody can change it)

A 4-step process

  1. Somehow register and verify a DID during account creation or while updating your existing Twitter profile.
  2. This request is forwarded to a whitelisted ID verifier (e.g Verisign, a government, …). They inspect at the DID document and all supporting evidence and if everything checks out they sign it with their key.
  3. The signed DID goes back to Twitter where it will be signed once more, after they make sure it meets all of their standards.
  4. The DID, which now has been signed both by the ID verifier and Twitter will now be embedded in a blockchain (e.g. Cardano). This gives you following properties:
    • timestamping (ordering of events)
    • autitability (anybody can verify fit)
    • immutability (nobody can change it)

Atala PRISM would make all of the above pretty easy to integrate on both sides. In a later stage so called treshold proofs (e.g. I’m older than 21 years) and revocation (e.g. apply for new credentials if you would lose your cell phone) could be added as well.

When everything is set up completely the user now has a credential that Twitter doesn’t have (Twitter doens’t have the private key that is inside the DID document). If Twitter ever got hacked again, only regular tweets can be posted from your account. Posting verified tweets becomes impossible as the hackers don’t have your private key!

Does the proposal comply with the prerequisites?

Don’t change much / don’t make radical changes (UX / UI)

The GUI would just show two different types of tweets, they just look different.  The verified tweet could, for example, have a grey background and a blue checkmark while the regular tweet just had a plain white background without a checkmark.

Keep it simple and easy to understand

Sure, Twitter users are already familiar with something similar, the blue checkmark for verified accounts. Signing a tweet could be as easy as using the fingerprint scanner on you cell phone.

Build on solid foundations

Public key cryptography is around since the seventies, has thousands of peer reviewed papers published and has been battle tested over and over again. The W3C DID standard is supported by big companies all over the world.

Keep the current business model

Twitter can just outsource the verification of IDs to trusted vendors

It should be cheap and easy to maintain

The business model can stay the same (as the verification of IDs can be outsourced). All that is required is a little update to the GUI allowing verified tweets to be displayed in a clear and beautiful manner.

Some benefits for the end users

  • verified tweets give extra credibility
  • giveaway scams are easily detected
  • no more impersonations
  • secure private communication (establish secure channel between 2 DIDs)
  • challenge / response enhanced access control (extra layer on top of 2FA)
  • multisig tweets (allow curation of tweets by trusted 3rd party)

Charles’ whiteboard video: How to Fix twitter

Final thoughts

This could very well be the real world application that brings blockchain to the general public. However, as these big companies are slow turning vessels, it might just be a bit too soon. I anticipate SME to adopt this kind of solutions first, but you never know.  Especially as Charles mentioned multiple time he’s willing to implement this for Twitter ar cost…..

Add a Comment

Your email address will not be published. Required fields are marked *