Jonkman Microblog
  • Login
Show Navigation
  • Public

    • Public
    • Network
    • Groups
    • Popular
    • People

Conversation

Notices

  1. :abunhdhappyhop: :abunhdhappy: :abunhdhop: :abunhd: :abunhdhappyhop: :abunhdhappy: (kaniini@pleroma.site)'s status on Saturday, 01-Aug-2020 16:41:43 EDT :abunhdhappyhop: :abunhdhappy: :abunhdhop: :abunhd: :abunhdhappyhop: :abunhdhappy: :abunhdhappyhop: :abunhdhappy: :abunhdhop: :abunhd: :abunhdhappyhop: :abunhdhappy:
    oh hey, i'm back.

    Mastodon has disclosed to its admins that a security hole where it does not properly handle `Reject Follow` at all.

    however, this security hole has existed since 2018.

    also, the "fix" is to patch every Mastodon instance, because yet again, the entire trust architecture of the fediverse is backwards.

    here's the bottom line: any other peer you federate with can do WHATEVER THE HELL IT WANTS with your data. the fact that admins are having to scramble to patch is because the whole fucking thing is broken.

    scopes cannot work as advertised, it's IMPOSSIBLE. you have to rethink this in terms of expanded collections instead of virtual collections.

    and even then, a hostile node can choose to just not be conformant with the spec and publish everything it receives for the public to see.

    but hey, keep playing internet feudalism with broken crap, i guess.
    In conversation Saturday, 01-Aug-2020 16:41:43 EDT from pleroma.site permalink
    1. :abunhdhappyhop: :abunhdhappy: :abunhdhop: :abunhd: :abunhdhappyhop: :abunhdhappy: (kaniini@pleroma.site)'s status on Saturday, 01-Aug-2020 16:45:49 EDT :abunhdhappyhop: :abunhdhappy: :abunhdhop: :abunhd: :abunhdhappyhop: :abunhdhappy: :abunhdhappyhop: :abunhdhappy: :abunhdhop: :abunhd: :abunhdhappyhop: :abunhdhappy:
      in reply to
      by the way, that security hole is specific to Mastodon. Pleroma, Hubzilla and even GNU Social's ActivityPub plugin handle Reject Follow correctly in their default configurations.
      In conversation Saturday, 01-Aug-2020 16:45:49 EDT from pleroma.site permalink
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

Jonkman Microblog is a social network, courtesy of SOBAC Microcomputer Services. It runs on GNU social, version 1.2.0-beta5, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All Jonkman Microblog content and data are available under the Creative Commons Attribution 3.0 license.

Switch to desktop site layout.