When following someone on a different server on the Fediverse, the remote server decides whether you are allowed to do so. This enables features like private accounts. Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. When a legitimate user from a Pixelfed instance follows you on your locked fediverse account, anyone on that Pixelfed instance can read your private posts. You don’t need to be a Pixelfed user to be affected.

Pixelfed admins should update to v1.12.5 ASAP, but upgrading can be a major hurdle.

Importantly, your Mastodon or GoToSocial instance isn’t handing your private posts to any random server, just because it asks. The problem only becomes apparent when you have at least one legit accepted follower from a Pixelfed server. Now that server is allowed to fetch all your private posts. And when it knows the posts, it has to decide who to show them. When you accept a follower, you not only place your trust to keep a secret on them, but also on their admin and the software they are running.

Edited to add the last block quote.

you are viewing a single comment's thread
view the rest of the comments

[–] PhilipTheBucket@ponder.cat 3 points 1 week ago (2 children)

Yeah, so there's no real way to implement private posts on Mastodon.

I mean, it is fine if you want to implement sort of "best effort" semi-privacy and make it clear to everyone involved that that's what it is, but for any reasonable definition of "private," the requirement that it not get shown to people outside the list of people allowed to see it needs to be enforced better than this. There will always be server software that doesn't "cooperate." That's just the nature of open distributed systems. If you're making assurances to your users that their posts will be private, you need to be the one enforcing that, not everyone else on the network and the protocol needs to be set up with the ability for that to happen (which ActivityPub is not, which means it's misleading that someone told users that they can have "private" posts via this hack.)

[–] Irelephant@lemm.ee 2 points 1 week ago (1 children)

I wouldn't consider it a hack, as the protocol was actually made with these posts in mind. Public posts weren't the focus of activitypub.

I would consider it similar to email, should we abandon it (yes, but not because of this) just because a malicious email server started publishing all the emails it recieved? AP is just email but social media.

[–] PhilipTheBucket@ponder.cat 2 points 1 week ago (1 children)

I would consider it similar to email, should we abandon it (yes, but not because of this) just because a malicious email server started publishing all the emails it recieved? AP is just email but social media.

Yes, and people implemented PGP for encrypted email, and also made SMTP over TLS the standard, so that they wouldn't have to demand that every router and every SMTP server everywhere on the internet agree not to republish or store secret information that was passing through it, because it started to become understood that email was in no way private.

A proper standard for private posts would be similar. You could have all private posts be encrypted with a rotating key, for example, and have them decrypted by anyone who had the key, on the client side, and stored and transmitted in encrypted form. Being approved to follow the private posts would involve your user being given a copy of the key through some kind of private key exchange. It sounds complex (and it would be, a little), and it would involve moving to the client some of the key management that currently happens on the instance server (and thus undoes some of the actually good design of ActivityPub, by just putting the instance software back in the position of keeping every actor's keys for them and doing all the crypto work on behalf of the users). Anyway, it would be work and involve some redesign. I'm not saying that's what they should have done. I'm saying that's what having private posts as a feature would mean. Anything else is non-private posts that are pretending to be private posts.

[–] Irelephant@lemm.ee 1 points 1 week ago (1 children)

Posts should be encrypted, this is what diaspora does. I agree with this. For emails though, pgp is used by no-one. Also, AP uses tls as well.

I was thinking that encrypted posts could work with multi key encryption (if my understanding of this post is correct https://stackoverflow.com/questions/597188/encryption-decryption-with-multiple-keys ).

The problem (imo) is mastodon being the internet explorer of the fediverse, and refusing to do any encryption.

[–] PhilipTheBucket@ponder.cat 2 points 1 week ago (1 children)

Yeah. One of the very few design feature of AP that I like is that actors have their very own keys, which means that in theory you could have the keys stay in the browser unlocked by a passphrase or something, and make it so no one could forge a message by a user except that user.

It would be pretty easy to extend that, so that Lemmy DMs get encrypted with the key of the actor meant to receive them, private posts get multi-encrypted with the public keys of any approved followers, et cetera. But yeah it seems like the amount of attention this stuff gets is very minimal.

[–] Irelephant@lemm.ee 2 points 1 week ago

That would also key in (no pun intended) with the nomadic identity FEPs.

[–] iltg@sh.itjust.works 1 points 1 week ago* (last edited 1 week ago) (1 children)

email works the same way. it's impossible to implement private emails? if you cc your email to im.going.to@leak.it and it leaks, would it be fair to complain about the whole email system?

e: should have read deeper first its already been said

[–] PhilipTheBucket@ponder.cat 2 points 1 week ago

https://discuss.privacyguides.net/t/email-isnt-private/20662