Bluesky has seen its user base soar since the U.S. presidential election, boosted by people seeking refuge from Elon Musk’s X, or wanting an alternative to Meta’s Threads and its algorithms.
So… Having no public API means people just develop libraries to interact with your private API.
Furthermore, beautiful soup can work on any page… It’s just a matter of how easily.
CSRF doesn’t do what I think you think it does. It only works with a cooperating client (i.e. it’s to protect a user in their own web browser). If it’s a bot you’d just scrape the token and move on.
Fluctuations in user actions can also be simulated (you can have a bot architecture that delays work to be done to be similar to what a normal user might do/say/post) … and rate limiting can be overcome by just using more accounts, stolen IP addresses, etc
You can do a lot, but it’s always going to be a bit of a war. Things you’re suggesting definitely help (a lot of them echo strategies used by RuneScape to prevent/reduce bots), but … I think saying it’s an architecture problem is a bit disingenuous; some of those suggestions also hurt users.
deleted by creator
How do you propose such an architecture works?
deleted by creator
So… Having no public API means people just develop libraries to interact with your private API.
Furthermore, beautiful soup can work on any page… It’s just a matter of how easily.
CSRF doesn’t do what I think you think it does. It only works with a cooperating client (i.e. it’s to protect a user in their own web browser). If it’s a bot you’d just scrape the token and move on.
Fluctuations in user actions can also be simulated (you can have a bot architecture that delays work to be done to be similar to what a normal user might do/say/post) … and rate limiting can be overcome by just using more accounts, stolen IP addresses, etc
You can do a lot, but it’s always going to be a bit of a war. Things you’re suggesting definitely help (a lot of them echo strategies used by RuneScape to prevent/reduce bots), but … I think saying it’s an architecture problem is a bit disingenuous; some of those suggestions also hurt users.
verified identities using government id schemes, loads already exist, i verified my account on LinkedIn for free
deleted by creator
yeah we would have to trust the anonymization and security of the authentication services but i see no other way to defeat the bots
i think there could be many other benefits as well if it works