Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mitra.social/objects/01988afe-d10d-8d32-a8fa-a9ffaf84098f">silverpill (silverpill@mitra.social)'s status on Saturday, 09-Aug-2025 03:44:20 JST</a><a href="https://mitra.social/users/silverpill" title="silverpill@mitra.social"><img src="https://gnusocial.jp/avatar/85321-48-20230105202807.webp" width="48" height="48" alt="silverpill" style="position: absolute; left: 0; top: 0;">silverpill</a><div><a href="https://metalhead.club/@mariusor/114994437442033374" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/346504" title="marius@marius.federated.id">Marius</a></li></ul></div></section><article><p><a href="https://metalhead.club/@mariusor">@mariusor</a> <a href="https://brutalinks.tech/~marius">@Marius</a> The problem with submitted public keys is that client controls the secret key. It can make signed requests and retrieve private objects, bypassing the server.</p><p>If the owner is not verified, the client can impersonate other actors on the server and retrieve private objects that are accessible to them but not to the current user (e.g. DMs).</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/5447052#notice-10737355">In conversation</a><time datetime="2025-08-09T03:44:20+09:00" title="Saturday, 09-Aug-2025 03:44:20 JST">about 5 months ago</time> <span>from <span><a href="https://mitra.social/objects/01988afe-d10d-8d32-a8fa-a9ffaf84098f" rel="external" title="Sent from mitra.social via ActivityPub">mitra.social</a></span></span><a href="https://mitra.social/objects/01988afe-d10d-8d32-a8fa-a9ffaf84098f">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
silverpill (silverpill@mitra.social)'s status on Saturday, 09-Aug-2025 03:44:20 JSTsilverpill
in reply to
- marius
- Marius
@mariusor @Marius The problem with submitted public keys is that client controls the secret key. It can make signed requests and retrieve private objects, bypassing the server.
If the owner is not verified, the client can impersonate other actors on the server and retrieve private objects that are accessible to them but not to the current user (e.g. DMs).
In conversationabout 5 months ago from mitra.socialpermalink

Public

Embed Notice

HTML Code

Corresponding Notice