fsebugoutzone.org:9999

       Post 3097604 by LaH@mastodon.host
 (DIR) More posts by LaH@mastodon.host
 (DIR) Post #3093640 by maple@computerfairi.es
       2019-01-18T07:13:17Z
       
       0 likes, 0 repeats
       
       quick admin psa from my charging station, if you are domain blocking any pleroma servers make sure to deny any requests from their domains in your server&#39;s firewall as well because pleroma does not honour blocks and will still be able to see your instance&#39;s posts and boost them
       
 (DIR) Post #3093641 by KitRedgrave@cybre.space
       2019-01-18T07:14:02Z
       
       0 likes, 0 repeats
       
       @maple huh, really? that sounds like a horrible bug that should be brought to the development team&#39;s attention
       
 (DIR) Post #3093642 by maple@computerfairi.es
       2019-01-18T07:14:32Z
       
       0 likes, 0 repeats
       
       @KitRedgrave knowing pleroma it&#39;s by design. we&#39;ve been talking about it for many months
       
 (DIR) Post #3093643 by KitRedgrave@cybre.space
       2019-01-18T07:15:46Z
       
       0 likes, 0 repeats
       
       @maple well, this is totally incongruous with kaniini being all up in arms about json-ld signatures and deniable objects. something seems to not add up.
       
 (DIR) Post #3093644 by Trysdyn@social.voidfox.com
       2019-01-18T07:17:15.233235Z
       
       0 likes, 0 repeats
       
       @KitRedgrave @maple It&#39;s configurable. Pleroma servers have a toggle to ignore block events and not honor them on the Pleroma side.
       
 (DIR) Post #3093645 by kaniini@pleroma.site
       2019-01-18T07:59:36.061355Z
       
       2 likes, 0 repeats
       
       @Trysdyn @KitRedgrave @maple That is entirely unrelated to this.  What is being described here is a defect in ActivityPub, in combination with Pleroma making the shared timelines visible by default to guest users.  Mastodon has the exact same problem, as does every other ActivityPub server.  I mean, did you honestly think that the instances you were blocking were going to let you know that they were getting leaks from your instance?
       
 (DIR) Post #3093858 by kaniini@pleroma.site
       2019-01-18T08:12:56.891358Z
       
       2 likes, 1 repeats
       
       @Trysdyn @KitRedgrave @maple To expand on what I mean for the people who do not read my posts on a regular basis (they probably have me personally blocked, but whatever), here is what is happening:1. A user on computerfairi.es posts a post.2. Somebody who follows that user and is followed by a user on blockedinstance.social makes a reply or boosts the post.3. The user on blockedinstance.social gets a copy of that interaction because it was addressed to as:Public.4. blockedinstance.social reconstructs the thread, fetching missing objects in it.5. Because there is no authentication requirement for fetching objects (or any other passive AP activity), blockedinstance.social now has a copy of your object.Unfortunately, at present, this means that the best mitigation is to firewall any instance you block that you also do not want to be able to receive posts from you.  It is unfortunate that this is the present situation for quite a few reasons (the topological knowledge learned from requiring authentication on fetches would be very helpful for distributing Deletes for example), but it is not a defect in Pleroma or any other ActivityPub software.  Instead, it is a defect in ActivityPub itself: since there is no authentication requirement, there is no support for authenticated fetches in any of the implementations.While it may be disturbing to see, Pleroma is just showing you that ActivityPub is leaking your data all over the fediverse and sending it to instances you don&#39;t want it on.  Blame the protocol, not the messenger.Hopefully that clarifies what is going on.  You can read also my blog post about this particular issue: https://blog.dereferenced.org/activitypub-the-present-state-or-why-saving-the-worse-is-better-virus-is#unauthenticated-object-fetchingIt would be nice in the future if people did not make bad faith assumptions about why things are the way they are and instead reached out and actually asked about it.  We are committed to improving the security posture of the fediverse.
       
 (DIR) Post #3096258 by maple@computerfairi.es
       2019-01-18T07:17:30Z
       
       0 likes, 0 repeats
       
       @KitRedgrave I&#39;m assuming more malicious users of pleroma liike shitposter club do not care about kaniini trying to do good, if they even are
       
 (DIR) Post #3096259 by KitRedgrave@cybre.space
       2019-01-18T07:19:02Z
       
       0 likes, 0 repeats
       
       @maple in which case, yeah perhaps you should firewall ban those instances if they&#39;re going to be horrible jerks
       
 (DIR) Post #3096260 by maple@computerfairi.es
       2019-01-18T07:19:49Z
       
       0 likes, 0 repeats
       
       @KitRedgrave my point exactlyand there&#39;s no way of knowing which will be so, if you&#39;re domain blocking a pleroma, firewall iit automatically
       
 (DIR) Post #3096261 by fuxoft@kompost.cz
       2019-01-18T09:53:48Z
       
       0 likes, 0 repeats
       
       @maple @KitRedgrave Why do you keep mentioning pleroma? This is an ActivityPub feature.
       
 (DIR) Post #3097604 by LaH@mastodon.host
       2019-01-18T10:57:22Z
       
       0 likes, 0 repeats
       
       @kaniini @maple @KitRedgrave @trysdyn I&#39;m blaming nether the protocol or the implementations for this. Public means public. If it&#39;s available anonymous over the whole internet how could it be blocked from one particular instance? That a weird idea.I don&#39;t know about pleroma, but the problem with mastodon is that private posting options sucks and leak messages.
       
 (DIR) Post #3097605 by kaniini@pleroma.site
       2019-01-18T11:03:41.616793Z
       
       1 likes, 0 repeats
       
       @LaH @Trysdyn @KitRedgrave @maple my personal interest in authenticated fetches is for topology awareness, but that doesn&#39;t mean that Mastodon couldn&#39;t use it to enforce blocks if it wanted to.  right now there&#39;s no mechanism.
       
 (DIR) Post #3098067 by LaH@mastodon.host
       2019-01-18T11:24:26Z
       
       0 likes, 0 repeats
       
       @kaniini @maple @KitRedgrave @trysdyn blocking direct access is making it a bit harder, but it&#39;s still public on the internet.Topology awareness is both a good and a bad. Is not what a instance can work out from it&#39;s users follower and following collections sufficient?Slightly related, the fact that follower and following collections are public by default (in mastodon at least) is a bad, I&#39;m not sure they should be allowed to even as an option. It&#39;s *far* to easy now to collect social graphs.
       
 (DIR) Post #3098068 by kaniini@pleroma.site
       2019-01-18T11:26:26.178106Z
       
       0 likes, 0 repeats
       
       @LaHI&#39;m talking about topology concerning where a post has been copied to.  we need this sort of knowledge for things like GDPR compliance.  we also need to know it in order to improve Deletes.I&#39;m not interested in discussing this further with you, please stop popping up in my mentions about this topic for a while, thanks.