Maybe I’m wrong, but shouldn’t posts only be insecure if they’re propagated to the insecure instance?
Is any private post visible to people on servers that the poster doesn’t have followers on?
Could I curl the uri of a post thats “private” and get the post’s content?
Maybe I’m wrong, but shouldn’t posts only be insecure if they’re propagated to the insecure instance?
“Insecure” in this case simply means any server that doesn’t implement Mastodon’s custom handling for “private” posts. With that definition, the answer to your question is yes. It has been mentioned by Mastodon people that this is a significant problem for the ability to actually keep these private posts private in the real world. The chance of it going wrong is small (depending on your follower count) but the potential for harm is very large. I would therefore go further, and say that it’s a very bad thing that Mastodon is telling people that these posts are “private” when the mechanism which is supposed to keep them private is so unreliable.
Is any private post visible to people on servers that the poster doesn’t have followers on?
It is not. If you’re sufficiently careful with approving your followers, making sure that each of them is on an instance that’s going to handle private posts the way you expect, then you’re probably fine.
Could I curl the uri of a post thats “private” and get the post’s content?
If it’s been federated to an insecure server then yes. If not then I think no.
Mastodon really is the internet explorer of the fediverse.
In any case, I don’t think its that bad. I would compare it to an email provider accidentially leaking messages. Still bad, but its not a reason to abandon email as a means of communication.
We should encrypt posts, like diaspora does. Like how we should pgp encrypt emails, but no one will.
also, I just checked myself, a random “private” post I made isn’t accessible over AP if I curl it unauthenticated.
Running curl.exe https://calckey.world/notes/a63slz8j6l -H "Accept: application/activity+json" returns nothing, but replacing the uri with a public post does show it.
An insecure server’s copy of the post isn’t accessible over AP, only the original post’s link should return anything.
Maybe I’m wrong, but shouldn’t posts only be insecure if they’re propagated to the insecure instance? Is any private post visible to people on servers that the poster doesn’t have followers on?
Could I
curlthe uri of a post thats “private” and get the post’s content?“Insecure” in this case simply means any server that doesn’t implement Mastodon’s custom handling for “private” posts. With that definition, the answer to your question is yes. It has been mentioned by Mastodon people that this is a significant problem for the ability to actually keep these private posts private in the real world. The chance of it going wrong is small (depending on your follower count) but the potential for harm is very large. I would therefore go further, and say that it’s a very bad thing that Mastodon is telling people that these posts are “private” when the mechanism which is supposed to keep them private is so unreliable.
https://marrus-sh.github.io/mastodon-info/everything-you-need-to-know-about-privacy-v1.3-020170427.html
https://github.com/mastodon/mastodon/issues/712
It is not. If you’re sufficiently careful with approving your followers, making sure that each of them is on an instance that’s going to handle private posts the way you expect, then you’re probably fine.
If it’s been federated to an insecure server then yes. If not then I think no.
Mastodon really is the internet explorer of the fediverse.
In any case, I don’t think its that bad. I would compare it to an email provider accidentially leaking messages. Still bad, but its not a reason to abandon email as a means of communication.
We should encrypt posts, like diaspora does. Like how we should pgp encrypt emails, but no one will.
also, I just checked myself, a random “private” post I made isn’t accessible over AP if I curl it unauthenticated. Running
curl.exe https://calckey.world/notes/a63slz8j6l -H "Accept: application/activity+json"returns nothing, but replacing the uri with a public post does show it.An insecure server’s copy of the post isn’t accessible over AP, only the original post’s link should return anything.