pleroma.site

oh hey, i'm back.

Mastodon has disclosed to its admins that a security hole where it does not properly handle `Reject Follow` at all.

however, this security hole has existed since 2018.

also, the "fix" is to patch every Mastodon instance, because yet again, the entire trust architecture of the fediverse is backwards.

here's the bottom line: any other peer you federate with can do WHATEVER THE HELL IT WANTS with your data. the fact that admins are having to scramble to patch is because the whole fucking thing is broken.

scopes cannot work as advertised, it's IMPOSSIBLE. you have to rethink this in terms of expanded collections instead of virtual collections.

and even then, a hostile node can choose to just not be conformant with the spec and publish everything it receives for the public to see.

but hey, keep playing internet feudalism with broken crap, i guess.
replies
0
announces
12
likes
6

by the way, that security hole is specific to Mastodon. Pleroma, Hubzilla and even GNU Social's ActivityPub plugin handle Reject Follow correctly in their default configurations.

@kaniini I don't understand why this is a problem. Isn't that expected behavior to accept communication from all?

@farhan it's a problem if you expect scopes to behave as advertised, which they can't in a federated network

@kaniini @farhan I mean

scopes could behave as advertised if you end-to-end encrypt everything against every individual follower’s public key

but that’s computationally expensive, and key management becomes a pain

@bhtooefr @farhan

that also requires competently managing the cryptography. instead, we get 'message franking' so that a user's client can become a decryption oracle (for reporting purposes, but will most certainly be abused by nation states and other adversaries in the future)

@bhtooefr @farhan

in our current global political climate, using the fediverse for anything requiring privacy is foolish. mastodon should either adopt E2EE without message franking by default, or drop the scopes. they are not remotely trustworthy, and every moment that they exist is begging someone to shoot themselves in the foot.

@kaniini how much should I panick?

@kaniini @bhtooefr Perhaps I do not understand what a scope is.
Does that mean where an instance will forward your message to, in the event that a user boosts it?

@farhan @kaniini scopes are things like public, unlisted, followers-only, and direct

public is public

unlisted is public but won't show in your instance's local timeline or any (unmodified) instance's federated/the whole known network timeline

the problem that specifically happened here is with the followers-only scope, which is only supposed to be accessible by people who are following you

Fedi software sends those posts to remote instances, which then shows those posts to whoever the remote instance believes is following that poster, which is ludicrously insecure

...and Mastodon wasn't properly handling that, so after a remote follow was rejected, the posts were still making it to the remote users

...but a malicious instance can easily see those posts - and even "direct" posts - and share them with anyone, intentionally