- cross-posted to:
- privacy@lemmy.ml
- fediverse@lemmy.ml
- cross-posted to:
- privacy@lemmy.ml
- fediverse@lemmy.ml
Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.
Decentralised, open social networks cannot offer privacy. Private groups are perfectly feasible within a locked-down system with the necessary gatekeeping.
In theory isolated Mastodon servers without open signups could work as their own private communities as well.
All you need to do is take out or several restrict federation capabilities, and most of the Fediverse privacy problems go out of the window.
I think someone built a social network on top of Matrix that could use the builtin E2EE to restrict read access. Like with normal social media, you would need to hack servers or clients to get any chance at reading those posts unnoticed as an outsider.
In this case, Threads (and Tumblr, Foursquare, Mastodon) can mitigate this problem by simply not federating with anyone but known-good servers.
It’s about the nature of the network. If it’s just a little bubble where you only see and interact with your friends, it’s probably doable. But nobody seems to want that anymore.
People want soapboxes like Twitter or Reddit or tiktok or YouTube. Privacy there is a lot more complicated and dubious.
In this case specifically, I think that the bad servers are spoofing as good servers. Which seems solvable (else cryptography signing things wouldn’t work), but still.