Privacy

35471 readers

385 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

The 200+ Sites an ICE Surveillance Contractor is Monitoring (www.404media.co)

submitted 1 day ago by drascus@sh.itjust.works to c/privacy@lemmy.ml

22 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] arotrios@lemmy.world 1 points 1 day ago (1 children)

They would have to hack the individual servers to get at the DMs, because they’re encrypted in transit. All the public stuff is trivial to scrape.

Nope, ActivityPub DMs are not encrypted between servers - if it's on the feed, it's public- or at least it was as of six months ago. I found this out when I attached a Wordpress site to a Mastodon instance and suddenly found i could read anyone's DMs to users on other servers. Totally unencrypted. I actually paused development and working with ActivityPub because of it.

This doesn't mean that messages to users on the same server are necessarily exposed, but the potential is there if you don't have a filter for local publishing only engaged on your Mastodon instance.

[–] davel@lemmy.ml 4 points 1 day ago (1 children)

ActivityPub DMs are not encrypted between servers

It is insofar as TLS/SSL/HTTPS encryption is used in transit. That’s what I mean by encrypted in transit.

i could read anyone’s DMs to users on other servers

If you’re an administrator for (WordPress) ActivityPub server A, you can see all the DMs coming to and leaving from your server, yes. And they’re not encrypted at rest, so you can read them any time. But how would you see DMs going between server B and server C, when your server isn’t involved in the transaction?

[–] arotrios@lemmy.world 2 points 19 hours ago* (last edited 18 hours ago)

It apparently scrapes everything on the public feed. So when I subscribed to users on Mastodon server A from Wordpress, DMs from Mastodon server A going to Mastodon server B became visible.

I had a separate account on Mastodon server A to confirm that I couldn't see these DMs as Mastodon user on server A, and that the Wordpress scrape was grabbing messages normally not meant for public view.

This was using the ActivityPub plugin for Wordpress about six months ago.

EDIT: I should be clear that I was as surprised as the other commentators that the DMs weren't encrypted and that I could see them at all through a 3rd party software. I did NOT see DMs between local users - only cross-instance.