Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.

  • @[email protected]
    link
    fedilink
    English
    126
    edit-2
    11 months ago

    Repeat after me: anything I write on the internet should be treated as public information. If I want to keep any conversation private, I will not post it in a public website.

    • @[email protected]
      link
      fedilink
      English
      2611 months ago

      I agree with you, however there are issues with not just privacy but also authenticity. I should be able to post as me, even in public, and have a way to prove it. Nobody else should be posting information as me, if that makes sense.

      • @[email protected]
        link
        fedilink
        English
        1411 months ago

        For that, we should start bringing our own private keys to the server, instead of trusting the server to control everything.

        And if we start doing that, pretty soon we will end up asking ourselves why do we need the server in the first place, and we will evolve to something like what nostr is doing.

        I’m all for it.

        • @ttmrichter
          link
          English
          211 months ago

          …evolve to something like what nostr is doing.

          Giving places for cryptobros to wank without being pointed at and laughed at by their betters?

            • @ttmrichter
              link
              011 months ago

              I’m pretty sure that 99.44% of nostr is cryptobros.

                • @ttmrichter
                  link
                  -211 months ago

                  When I see nostr users that number more than, say, six who aren’t also cryptobros, I’ll drop the nostr disrespect. Until then … 🤷‍♂️

                  • @[email protected]
                    link
                    fedilink
                    English
                    6
                    edit-2
                    11 months ago

                    You are doing nothing but a strawman. Lemmy is developed by shit-for-brains tankies, yet there is no denying that their work has brought progress to the distributed web.

                    Same thing for nostr. Whether you like it or not, nostr “cryptobros” have shown a bunch of things that need improvement on the Fediverse and they are backing their words with actions and working code. You on the other hand have nothing but smug, pretentious bullshit to throw around.

      • 0x1C3B00DA
        link
        fedilink
        411 months ago

        Sure, but that’s already solved on the fediverse by using HTTP Signatures and isn’t related to Authorized Fetch.

        • @[email protected]
          link
          fedilink
          English
          211 months ago

          I meant to say generally, for folks that might read this comment and think problems surrounding the platform and security are solved.

      • @ttmrichter
        link
        English
        -111 months ago

        Clear sign every post using a third-party application. Make your public keys known far and wide. Authenticity solved.

        • Natanael
          link
          fedilink
          English
          511 months ago

          And now we’re dealing with key management instead

          • @ttmrichter
            link
            211 months ago

            You always need key management if you have decentralized authentication.

          • @ttmrichter
            link
            011 months ago

            You always need key management if you have decentralized authentication.

    • sj_zero
      link
      fedilink
      511 months ago

      Seriously. Bobthenazi could just go to an aligned server and make an account Bobthenotzi and boom – perfectly able to follow whoever he wants.

      • @[email protected]
        link
        fedilink
        English
        4
        edit-2
        11 months ago

        One more reason to argue that we should drop the idea of “aligned” servers and that we are moving to a future where it is better to charge (small) amounts from everyone instead of depending on (large) donations from a few.

        • sj_zero
          link
          fedilink
          311 months ago

          Ideally, a distributed fediverse wouldn’t need much in terms of donations because it’s a bunch of small instances instead of a few huge ones.

          • @[email protected]
            link
            fedilink
            English
            3
            edit-2
            11 months ago

            Not the point. The point that instances that are open for everyone will be open for bad actors as well.

            If the mere act of signing up to an instance requires a small payment, you are automatically preventing the absolute majority of spammers, “spray and pray” scammers and channer trolls.

    • @[email protected]
      link
      fedilink
      English
      511 months ago

      To add a bit of important nuance to this idea (particularly how this argument comes up with regards to threads). This does not apply to legal rights over your content. That is to say, of course you should treat any information you put out there as out of your control with regards to access but if somebody tries to claim legal rights over your content they are probably breaking the law.

      • @[email protected]
        link
        fedilink
        English
        611 months ago

        Right. Publicly available does not mean in public domain. But the issue here is not of copyright, but merely of gated access.

        • @[email protected]
          link
          fedilink
          English
          2
          edit-2
          11 months ago

          Totally. I’m just trying to bring it up whenever I see folks having this discussion because some people don’t seem to make the distinction. Worries me that some are so willing to cede that big social will illegally hoover up our data and there’s nothing we can do about it.

    • froggers
      link
      English
      -45
      edit-2
      11 months ago

      anything I write on the internet should be treated as my private information. If I want to keep any conversation private, I will still post it in a public website.

      EDIT: I’m so sorry that my stupid comment offended some people. Always forget how special some people can be on this website. Once again I’m sorry for my lack of better judgement.

        • froggers
          link
          English
          -811 months ago

          About as triggered as those who downvoted me.

          • @[email protected]
            link
            fedilink
            English
            811 months ago

            No, you’re right. Everyone who downvoted probably also went on an angry tirade first, but they just didn’t type it out. Totally the same. 👍

      • @solrize
        link
        English
        411 months ago

        I don’t think your comment was offensive per se. It was just ridiculously naive. If we are trying to build practical tools, they have to fit how things work in the real world, not how they work in anybody’s dreams. If you want to have private conversations on a public website, use encryption.