lmao i'm not surprised that they're working around AUTHORIZED_FETCH
Honestly I thought they were doing this already, though I might have been thinking about some other person who was doing similar. :blobcatthonking:
RE: https://haqueers.com/users/Rairii/statuses/111641757827318245
Conversation
Notices
-
Embed this notice
Siina (siina@social.criminallycute.fi)'s status on Tuesday, 26-Dec-2023 04:47:19 JST 
Siina
-
Embed this notice
Pleroma-tan (kirby@lab.nyanide.com)'s status on Tuesday, 26-Dec-2023 04:50:49 JST 
Pleroma-tan
@siina cc @romin they actually consider this a problem poopyhead -
Embed this notice
Pleroma-tan (kirby@lab.nyanide.com)'s status on Tuesday, 26-Dec-2023 04:54:39 JST
Pleroma-tan
@siina @romin yes i was talking about this the other day and poopyface was like "how is this spoofing lol" -
Embed this notice
Siina (siina@social.criminallycute.fi)'s status on Tuesday, 26-Dec-2023 04:54:41 JST
Siina
@kirby@lab.nyanide.com @romin@shitposter.club authorised fetch is a broken idea and this isn't the first/only time it's been subverted. I know a few other places that do it too, and the only issue is that people are being sold it as if it's some privacy ensuring measure. I'm just laughing that people are only now realising it.
feld and Pleroma-tan like this. -
Embed this notice
Pleroma-tan (kirby@lab.nyanide.com)'s status on Tuesday, 26-Dec-2023 04:58:04 JST
Pleroma-tan
@Pawlicker @Zergling_man @siina i block instances by the ssn of the admins -
Embed this notice
PC-9801 Enjoyer (pawlicker@bae.st)'s status on Tuesday, 26-Dec-2023 04:58:05 JST 
PC-9801 Enjoyer
@siina @Zergling_man lol, lmao
Screenshot_20231225-145613~2.png likes this. -
Embed this notice
Siina (siina@social.criminallycute.fi)'s status on Tuesday, 26-Dec-2023 04:58:06 JST
Siina
@Zergling_man@sacred.harpy.faith Yeah, I know of a handful of places that do it. Maybe people will realise it's not what they think it is and stop worrying about it.
-
Embed this notice
Zergling_man (zergling_man@sacred.harpy.faith)'s status on Tuesday, 26-Dec-2023 04:58:08 JST 
Zergling_man
@siina As far as I can tell, yeah, it's that gleasonator simply reinvented it; I'm certain people have been doing this for ages, I think uhhh...
Nah forgot the name. I get roboneko, crunk and someone else mixed up all the time and I think it was one of them. -
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 26-Dec-2023 04:59:39 JST 
@Pawlicker @Zergling_man @siina One line in Privoxy config. feld repeated this. -
Embed this notice
Zergling_man (zergling_man@sacred.harpy.faith)'s status on Tuesday, 26-Dec-2023 05:01:09 JST
Zergling_man
@mint @siina @Pawlicker Oh it was you! I'm pretty sure. likes this. -
Embed this notice
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Tuesday, 26-Dec-2023 05:01:58 JST 
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
@mint @Pawlicker @Zergling_man @siina signing isn't even in the standard -
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 26-Dec-2023 05:01:59 JST
@Pawlicker @Zergling_man @siina Maybe W3C people understand it's a fucking snake oil unless you do whitelist federation.
Screenshot_20231225_225909.pngSexy Moon likes this. -
Embed this notice
PC-9801 Enjoyer (pawlicker@bae.st)'s status on Tuesday, 26-Dec-2023 05:03:22 JST
PC-9801 Enjoyer
@mint @Zergling_man @siina you'd have to use an entirely different protocol to avoid this. Even shit like atproto isn't immune I bet likes this. -
Embed this notice
Pleroma-tan (kirby@lab.nyanide.com)'s status on Tuesday, 26-Dec-2023 05:03:25 JST
Pleroma-tan
@lain @Pawlicker @mint @Zergling_man @siina cc @meso told u bitsh -
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 26-Dec-2023 05:04:07 JST
@Pawlicker @Zergling_man @siina You said how almost every bluesky's security feature is client-side in one of your blogposts, yeah. -
Embed this notice
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Tuesday, 26-Dec-2023 05:06:16 JST
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
@meso @Pawlicker @mint @Zergling_man @siina because you can't federate without it -
Embed this notice
meso (meso@the.asbestos.cafe)'s status on Tuesday, 26-Dec-2023 05:06:17 JST 
meso
@lain @Pawlicker @mint @Zergling_man @siina why is gargron a faggot and includes that as a necessary step in his activitypub server tutorial -
Embed this notice
Pleroma-tan (kirby@lab.nyanide.com)'s status on Tuesday, 26-Dec-2023 05:07:57 JST
Pleroma-tan
@lain @Pawlicker @mint @Zergling_man @siina @meso what do you mean you can't? im confused -
Embed this notice
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Tuesday, 26-Dec-2023 05:09:05 JST
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
@kirby @Pawlicker @mint @Zergling_man @siina @meso no server supports unsigned activities, they all need http signatures. This is not in the standard, though. -
Embed this notice
Pleroma-tan (kirby@lab.nyanide.com)'s status on Tuesday, 26-Dec-2023 05:10:18 JST
Pleroma-tan
@lain @Pawlicker @mint @Zergling_man @siina @meso are authorized fetches and activities with http signatures not the same thing? there are a lot of cases where people dont use them -
Embed this notice
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Tuesday, 26-Dec-2023 05:11:51 JST
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
@kirby @Pawlicker @mint @Zergling_man @siina @meso yes it's the same mechanism, but posts to /inbox will always need to be signed, no server supports unsigned posts. -
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 26-Dec-2023 05:12:51 JST
@meso @Pawlicker @kirby @lain @Zergling_man @siina No, signatures are good since otherwise anyone with a copy of curl could impersonate anyone else on the network but sendoing out fake activities. When it gets shoehorned into object fetching, that's where I have a problem. There's simply no valid reason why I should be able to view a post in web frontend but not get the activity corresponsing to the same public post if some janny couldn't handle my rizz. Pleroma-tan repeated this. -
Embed this notice
meso (meso@the.asbestos.cafe)'s status on Tuesday, 26-Dec-2023 05:12:52 JST
meso
@kirby @Pawlicker @lain @mint @Zergling_man @siina IS HTTP signatures the same as authorized fetches -
Embed this notice
dakkar (dakkar@s.thenautilus.net)'s status on Tuesday, 26-Dec-2023 05:13:52 JST
dakkar
@siina@social.criminallycute.fi the "trick" is also extremely simple… and I don't think there's any serious protection outside of allow-list-only federation ☹
Haelwenn /элвэн/ :triskell: and feld like this. -
Embed this notice
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Tuesday, 26-Dec-2023 05:13:58 JST
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
@mint @Pawlicker @kirby @Zergling_man @siina @meso it can make sense for activities with restricted audiences. Pleroma-tan likes this.Pleroma-tan repeated this. -
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 26-Dec-2023 05:14:59 JST
@lain @Pawlicker @kirby @Zergling_man @siina @meso Lockposts are defective by design, but they simply return "not found" in either case. Pleroma-tan likes this. -
Embed this notice
Pleroma-tan (kirby@lab.nyanide.com)'s status on Tuesday, 26-Dec-2023 05:15:10 JST
Pleroma-tan
@lain @Pawlicker @mint @Zergling_man @siina @meso and none of this is in the spec... amazing -
Embed this notice
Pleroma-tan (kirby@lab.nyanide.com)'s status on Tuesday, 26-Dec-2023 05:15:21 JST
Pleroma-tan
@meso @Pawlicker @lain @mint @Zergling_man @siina theyre supposed to be i think -
Embed this notice
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ (lain@lain.com)'s status on Tuesday, 26-Dec-2023 05:18:10 JST
on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
@kirby @Pawlicker @mint @Zergling_man @siina @meso at least we have important activity types like "TentativeReject" in the standard. and Pleroma-tan like this. -
Embed this notice
:blank: (i@declin.eu)'s status on Tuesday, 26-Dec-2023 05:18:16 JST 
:blank:
@lain @Pawlicker @kirby @mint @Zergling_man @siina @meso like C2S, anything but https://www.w3.org/ns/activitystreams#Public was a habitual mistake with the current S2S implementations likes this. -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 26-Dec-2023 05:24:37 JST 
Haelwenn /элвэн/ :triskell:
@siina @adiz There is security though, just not a whole lot because at the end of the day it's open-federation with a protocol designed to spread things far and wide.
Current one is a bit like saying that the web has no security because someone could read your public blog even though you blocked their network, the only thing you can really do is accept it and use other means for more sensitive data.
Like yeah tracts aren't appropriate to send private memos, yet both are useful. -
Embed this notice
Siina (siina@social.criminallycute.fi)'s status on Tuesday, 26-Dec-2023 05:24:38 JST
Siina
@adiz@soc0.outrnat.nl I'm not saying whether or not it's a problem. XD It's fake security on a platform that offers no real security.
-
Embed this notice
:verified_2:防空識別區𝒔𝒐𝒄𝟶 (adiz@soc0.outrnat.nl)'s status on Tuesday, 26-Dec-2023 05:24:39 JST
:verified_2:防空識別區𝒔𝒐𝒄𝟶
@siina@social.criminallycute.fi I don't really see how it's a problem and Authorized Fetch is kinda bogus anyway.
-
Embed this notice
Soy_Magnus (soy_magnus@detroitriotcity.com)'s status on Tuesday, 26-Dec-2023 05:57:18 JST 
Soy_Magnus
@Zergling_man @siina its probably me, the best java coder ever to grace the fediverse likes this. -
Embed this notice
Zergling_man (zergling_man@sacred.harpy.faith)'s status on Tuesday, 26-Dec-2023 05:58:15 JST
Zergling_man
@Soy_Magnus @siina Ah, of course, silly me. likes this. -
Embed this notice
Hoss Delgado (hoss@shitpost.cloud)'s status on Tuesday, 26-Dec-2023 06:58:02 JST 
Hoss Delgado
>Other server: "Do what I want."
>My server: "Lol, no."
Digital Fascism at work. and Pleroma-tan like this. -
Embed this notice
:verified_2:防空識別區𝒔𝒐𝒄𝟶 (adiz@soc0.outrnat.nl)'s status on Tuesday, 26-Dec-2023 06:58:03 JST
:verified_2:防空識別區𝒔𝒐𝒄𝟶
@siina@social.criminallycute.fi It's a faux sense of privacy which simultaneously violates the way servers are supposed to behave with one another by essentially allowing one server to dictate to remote servers what they can/cannot do. @kirby@lab.nyanide.com @romin@shitposter.club
Pleroma-tan repeated this.
-
Embed this notice
All GNU social JP content and data are available under the 
