Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.

  • @[email protected]
    link
    fedilink
    English
    126
    edit-2
    11 months ago

    Repeat after me: anything I write on the internet should be treated as public information. If I want to keep any conversation private, I will not post it in a public website.

    • @[email protected]
      link
      fedilink
      English
      2611 months ago

      I agree with you, however there are issues with not just privacy but also authenticity. I should be able to post as me, even in public, and have a way to prove it. Nobody else should be posting information as me, if that makes sense.

      • @[email protected]
        link
        fedilink
        English
        1411 months ago

        For that, we should start bringing our own private keys to the server, instead of trusting the server to control everything.

        And if we start doing that, pretty soon we will end up asking ourselves why do we need the server in the first place, and we will evolve to something like what nostr is doing.

        I’m all for it.

        • @ttmrichter
          link
          English
          211 months ago

          …evolve to something like what nostr is doing.

          Giving places for cryptobros to wank without being pointed at and laughed at by their betters?

            • @ttmrichter
              link
              011 months ago

              I’m pretty sure that 99.44% of nostr is cryptobros.

                • @ttmrichter
                  link
                  -211 months ago

                  When I see nostr users that number more than, say, six who aren’t also cryptobros, I’ll drop the nostr disrespect. Until then … 🤷‍♂️

      • 0x1C3B00DA
        link
        fedilink
        411 months ago

        Sure, but that’s already solved on the fediverse by using HTTP Signatures and isn’t related to Authorized Fetch.

        • @[email protected]
          link
          fedilink
          English
          211 months ago

          I meant to say generally, for folks that might read this comment and think problems surrounding the platform and security are solved.

      • @ttmrichter
        link
        English
        -111 months ago

        Clear sign every post using a third-party application. Make your public keys known far and wide. Authenticity solved.

        • Natanael
          link
          fedilink
          English
          511 months ago

          And now we’re dealing with key management instead

          • @ttmrichter
            link
            211 months ago

            You always need key management if you have decentralized authentication.

          • @ttmrichter
            link
            011 months ago

            You always need key management if you have decentralized authentication.

    • sj_zero
      link
      fedilink
      511 months ago

      Seriously. Bobthenazi could just go to an aligned server and make an account Bobthenotzi and boom – perfectly able to follow whoever he wants.

      • @[email protected]
        link
        fedilink
        English
        4
        edit-2
        11 months ago

        One more reason to argue that we should drop the idea of “aligned” servers and that we are moving to a future where it is better to charge (small) amounts from everyone instead of depending on (large) donations from a few.

        • sj_zero
          link
          fedilink
          311 months ago

          Ideally, a distributed fediverse wouldn’t need much in terms of donations because it’s a bunch of small instances instead of a few huge ones.

          • @[email protected]
            link
            fedilink
            English
            3
            edit-2
            11 months ago

            Not the point. The point that instances that are open for everyone will be open for bad actors as well.

            If the mere act of signing up to an instance requires a small payment, you are automatically preventing the absolute majority of spammers, “spray and pray” scammers and channer trolls.

    • @[email protected]
      link
      fedilink
      English
      511 months ago

      To add a bit of important nuance to this idea (particularly how this argument comes up with regards to threads). This does not apply to legal rights over your content. That is to say, of course you should treat any information you put out there as out of your control with regards to access but if somebody tries to claim legal rights over your content they are probably breaking the law.

      • @[email protected]
        link
        fedilink
        English
        611 months ago

        Right. Publicly available does not mean in public domain. But the issue here is not of copyright, but merely of gated access.

        • @[email protected]
          link
          fedilink
          English
          2
          edit-2
          11 months ago

          Totally. I’m just trying to bring it up whenever I see folks having this discussion because some people don’t seem to make the distinction. Worries me that some are so willing to cede that big social will illegally hoover up our data and there’s nothing we can do about it.

    • froggers
      link
      English
      -45
      edit-2
      11 months ago

      anything I write on the internet should be treated as my private information. If I want to keep any conversation private, I will still post it in a public website.

      EDIT: I’m so sorry that my stupid comment offended some people. Always forget how special some people can be on this website. Once again I’m sorry for my lack of better judgement.

        • froggers
          link
          English
          -811 months ago

          About as triggered as those who downvoted me.

          • @[email protected]
            link
            fedilink
            English
            811 months ago

            No, you’re right. Everyone who downvoted probably also went on an angry tirade first, but they just didn’t type it out. Totally the same. 👍

      • @solrize
        link
        English
        411 months ago

        I don’t think your comment was offensive per se. It was just ridiculously naive. If we are trying to build practical tools, they have to fit how things work in the real world, not how they work in anybody’s dreams. If you want to have private conversations on a public website, use encryption.

  • FaceDeer
    link
    fedilink
    5911 months ago

    And so, once again, people discover the unsolvable dilemma of DRM.

    You can’t both publish your data where it can be seen by computers that are not under your control and somehow keep control of that data. Anything that purports to do so is either a temporary bandaid soon to be bypassed or nothing but placebo to begin with.

  • @Zak
    link
    English
    4711 months ago

    What I think a lot of conversations about privacy and security on the Fediverse miss is that the Fediverse is radically public.

    A protocol that sends everything you share to a long list of servers that haven’t been pre-screened and could be anything from a professionally-managed instance of vanilla Mastodon to an ad hoc, informally-specified, bug-ridden, slow implementation of half of ActivityPub running on a jailbroken smart light bulb can only ever be radically public. It’s possible to block most interactions with someone you don’t want to talk to, but not to reliably prevent them from seeing content you share to anything more than a short list of vetted followers.

    There probably isn’t any reasonable way to change that while keeping the open federation model, though it’s possible to build closed networks on top of ActivityPub for those who want the formats it supports for a curated group. This isn’t a problem to be solved in my view, but an inherent reality: the Fediverse is for things you want to make public.

    • @[email protected]
      link
      fedilink
      English
      1511 months ago

      Exactly! The only way that we can make sure that the Internet is not controlled by anyone is to make it available for everyone. If we are fighting for an open internet, we need to understand that this type of thing will be part of the package.

      • @Zak
        link
        English
        911 months ago

        We, by which I mean some loose group of people who want decentralized tools to thrive should also be building things for secure, private communication, and we are. Matrix, for example offers strongly end-to-end encrypted federated chat rooms and private messages. It also has a kind of rough UX and, IIRC resource-intensive server software. We should work toward improving that.

        I’m not advocating against privacy at all. I want people to understand as clearly as possible that Mastodon, Lemmy, and anything that works like them isn’t private and can’t be private when part of an open federated network so they can decide whether that’s a good fit for how they’re using it. The block evasion described in the link is just run a server on a domain that isn’t blocked, and I imagine any other mitigations bolted onto Mastodon that don’t break open federation will be little better.

        • @[email protected]
          link
          fedilink
          English
          3
          edit-2
          11 months ago

          tools to thrive should also be building things for secure, private communication.

          Sure, but this should not be seen on the same class of software of “social media” or even “the web”.

        • @ttmrichter
          link
          English
          211 months ago

          Matrix […] has a kind of rough UX and, IIRC resource-intensive server software. We should work toward improving that.

          Except that I get the vibes from the Matrix community that the shit UX is part of the attraction because it does a wonderful job of gatekeeping.

          I don’t hold out much hope for Matrix working out ever, but perhaps someday someone will use it as inspiration for making something that doesn’t suck.

          • @ChaosAD
            link
            English
            010 months ago

            Matrix is the protocol. You can have whatever client you like. There are mobile apps that are similar to discord and connect to matrix servers.

  • @[email protected]
    link
    fedilink
    English
    4611 months ago

    I’m kind of tired of social networks offering even the pretense of privacy. Just loudly proclaim that everything is public but clients can filter out shit you don’t wanna see.

    • Ada
      link
      fedilink
      English
      3111 months ago

      That doesn’t work for vulnerable minorities. Manually filtering each shitty person after you step in their shit gets old. Coupled with the fact that not shutting down shitty people just means more shitty people are likely to turn up.

      It’s not sustainable

      • Max-P
        link
        fedilink
        English
        3411 months ago

        I think in this context it’s meant on a technical level: as far as the fediverse is concerned, there’s not a whole lot instances can do. Anyone can just spin up an instance and bypass blocks unless it works on an allowlist basis, which is kind of incompatible with the fediverse if we really want to achieve a reasonable amount of decentralization.

        I agree that we shouldn’t pretend it’s safe for minorities: it’s not. If you’re a minority joining Mastodon or Lemmy or Mbin, you need to be aware that blocking people and instances has limitations. You can’t make your profile entirely private like one would do on Twitter or any of Meta’s products. It’s all public.

        You can hide the bad people from the users but you can’t really hide the users from the bad people. You can’t even stop people from replying to you on another instance. You can refuse to accept the message on the user’s instance, but the other instance can still add comments that don’t federate out. Which is kind of worse because it can lead to side discussions you have no way of seeing or participate in to defend yourself and they can be saying a lot of awful things.

        • @ChaosAD
          link
          English
          010 months ago

          You can’t make your profile entirely private like one would do on Twitter or any of Meta’s products.

          Even those are not private.

      • @[email protected]
        link
        fedilink
        English
        1611 months ago

        It’s the unfortunate reality. Social networks simply cannot in offer privacy. If they were upfront about it, then people could make rational decisions about what they share.

        But instead they (including Mastodon) pretend like they can offer privacy, when they in fact cannot, resulting in people sharing things that they would not otherwise share.

        • Ada
          link
          fedilink
          English
          1511 months ago

          It’s not as black and white as you make it. The options aren’t “perfect security” and “no security”.

          The option that most people that experience regular harassment want is “enough security to minimise the shit we have to deal with to a level that is manageable even if it’s imperfect”

          • @[email protected]
            link
            fedilink
            English
            511 months ago

            While you’re theoretically right, we’ve seen in practice that nobody really offers even the imperfect privacy you describe, and on decentralized systems it only becomes harder to solve.

            A Facebook style centralized network where you explicitly grant access to every single person who can see your content - is as close as we can get. But nobody is trying to make that kind of social network anymore, because there isn’t much demand for it.

            If you want a soapbox (Twitter/mastodon/bluesky, Reddit/Lemmy/kbin, Instagram/pixelfed, YouTube/toktok/peertube) then privacy is going to be a dream, especially if decentralized.

            • Ada
              link
              fedilink
              English
              311 months ago

              Vulnerable folk are looking for community, not a soap box. The goal is to connect with other folk whilst being as free as possible from harassment.

              It’s absolutely possible to achieve that without perfect privacy controls.

              • @[email protected]
                link
                fedilink
                English
                411 months ago

                Privacy and being free of (in-context) harassment aren’t the same thing. Your posts can all be public but your client can filter out any harassment, for example.

                If the goal is privacy so that people who aren’t in the community don’t know that you’re in the community, and don’t know what the community is even talking about, I’m skeptical that it’s practical. Especially for a decentralized network, I think that the sacrifices needed to make this happen would make the social network unappealing to users. For example, you’d need to make it invite only and restrict who can invite, or turn off any kind of discovery so that you can’t find people who aren’t already in your circle. At that point you might as well just use a group chat.

                • Ada
                  link
                  fedilink
                  English
                  611 months ago

                  Privacy and being free of (in-context) harassment aren’t the same thing.

                  They’re related. Often, the ability to limit your audience is about making it non trivial for harassers to access your content rather than impossible.

                  If the goal is privacy so that people who aren’t in the community don’t know that you’re in the community

                  That’s not the goal. The goal is to make a community that lets vulnerable folk communicate whilst keeping the harassment to a manageable level and making the sensitive content non trivial to access for random trolls and harassers.

                  It’s not about stopping dedicated individuals, because they can’t be stopped in this sort of environment for all the reasons you point out. It’s about minimising harassment from the random drive by bigots

          • @[email protected]
            link
            fedilink
            English
            411 months ago

            It’s about the nature of the network. If it’s just a little bubble where you only see and interact with your friends, it’s probably doable. But nobody seems to want that anymore.

            People want soapboxes like Twitter or Reddit or tiktok or YouTube. Privacy there is a lot more complicated and dubious.

            In this case specifically, I think that the bad servers are spoofing as good servers. Which seems solvable (else cryptography signing things wouldn’t work), but still.

      • 0x1C3B00DA
        link
        fedilink
        1211 months ago

        It’s not sustainable to keep offering poorly designed solutions. People need to understand some basic things about the system they’re using. The fediverse isn’t a private space and fediverse developers shouldn’t be advertising pseudo-private features as private or secure.

      • @sugarfree
        link
        English
        711 months ago

        A private forum may be useful in that case.

        • Ada
          link
          fedilink
          English
          111 months ago

          Why even bother with that comment?

  • @Alpha71
    link
    English
    1611 months ago

    I have no idea what any of that meant.

  • @solrize
    link
    English
    1011 months ago

    I still could use an ELI5 about what this authorized fetch feature was supposed to do. Was it supposed to basically disengage the Mastodon network from Threads? To stop Threads crap from showing up on Mastodon? Or to stop Mastodon discussions from showing up in Threads? Or something different?

    • Kierunkowy74
      link
      fedilink
      1911 months ago

      Authorised Fetch existed long before Instagram Threads. When it is turned on, an instance will require any other server to sign their request to fetch any post. This prevents “leaking” of posts via ActivityPub to blocked instances.

      This setting is turned off by default, because some software are incompatible with it (like /kbin, Pixelfed before June 2023, maybe Lemmy too), because it makes server load higher, and it may make some replies missing (at least on microblogging side).

      • @solrize
        link
        English
        711 months ago

        When it is turned on, an instance will require any other server to sign their request to fetch any post. This prevents “leaking” of posts via ActivityPub to blocked instances.

        Oh I see. Yeah that sounds pretty hopeless. Does it use the fetching site’s domain validated TLS certificate? Is the idea to permit fetching unless the fetching domain is on a blacklist? If yes, someone didn’t have their thinking cap on. The whole concept is dumb though, there is no way to prevent posts from leaking. The saying is that once 3 people know a secret, it is no longer secret.

  • @[email protected]
    link
    fedilink
    English
    2
    edit-2
    11 months ago

    Stop asking for pseuso-privacy features. The Fediverse is public by nature. Any “measures” to control access to the public posts on it are just lying to users.

    Server owners should be able to control who can access their servers - but that is NOT - and should NOT be - treated as a privacy feature.