fsebugoutzone.org:9999

       Post ATeiZfTitH8HxJo0AK by tom@tomtau.be
 (DIR) More posts by tom@tomtau.be
 (DIR) Post #ATeIBHgX6Y02P5VeVc by tedu@honk.tedunangst.com
       2023-03-15T19:05:52Z
       
       1 likes, 4 repeats
       
       A little update on the temperamental mastodon, signed fetch, etc. This gets a bit confusing and goes off into the weeds, but maybe it&#39;s interesting if you&#39;re into fediverse nitty gritty.For background, I have trouble federating with mastodon in &quot;secure&quot; mode (I have signed fetch turned off). In theory, and I think according to most people&#39;s expectations, this would mean I can&#39;t talk to the secure servers. In reality, that basically works fine, but it&#39;s the secure servers that can&#39;t talk to me. Except sometimes.As previously noted, I am intermittently able to retrieve the signing key with an anonymous get. But usually not. If I&#39;m following somebody on such a server, I get a whole pile of error messages in the log, and generally do the courteous thing and unfollow to spare their server some load. But I don&#39;t have to unfollow everybody...For example, I used to follow Alejandro and Beatrice, on the same temperamental server. Beatrice posts a lot, but I was unable to get her key, had a bunch of failures, and unfollowed. I didn&#39;t unfollow Alejandro because the server was happy and served up the key.Time passes, and now I can&#39;t get Alejandro&#39;s key anymore, but I did get Beatrice&#39;s key. Only the great Ganesha knows why. But because mastodon will send replies to followers (if it&#39;s the same server), I now see Beatrice&#39;s replies to Alejandro, but I can&#39;t see the original, even though I&#39;m following A and not B. Awesome, right?Anyway, there&#39;s not really a point, just another day on the fediverse. Pound sign annals of activitypub.
       
 (DIR) Post #ATeiZfTitH8HxJo0AK by tom@tomtau.be
       2023-03-15T23:34:59Z
       
       0 likes, 0 repeats
       
       @tedu does Mastodon decide which keys you can fetch based on each user’s assumed astrological sign and the current planetary positions?
       
 (DIR) Post #ATeiZgIlpTxwVdgljU by tedu@honk.tedunangst.com
       2023-03-16T00:01:36Z
       
       0 likes, 0 repeats
       
       @tom in the infosec community, this is known as retrograde request smuggling. The lunar planetary phase disjunction creates an exploitable security gap.