Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://blob.cat/objects/2146a42a-d8ae-482f-9185-f019c68130bd">:blobcathug: (jain@blob.cat)'s status on Tuesday, 28-Nov-2023 17:44:44 JST</a><a href="https://blob.cat/users/Jain" title="jain@blob.cat"><img src="https://gnusocial.jp/avatar/4294-48-20220810062846.webp" width="48" height="48" alt=":blobcathug:" style="position: absolute; left: 0; top: 0;">:blobcathug:</a><div><a href="https://infosec.exchange/@thenexusofprivacy/111485066557114237" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><a href="https://infosec.exchange/@thenexusofprivacy">@thenexusofprivacy</a> <br>&gt; I certainly didn't mean to imply that authorized fetch is made to supress others talking about something.<br>I belive you that, and that is not what i fully meant to imply. That whole topic is a bit more complex to just reduce it to that, and i think you know that too.<br><br>&gt; Authorized fetch makes blocking more effective.  <br>Nah, i disagree. There is literally nothing that one can stop someone to read someones public posts. It might work for the average user, i give you that, but if there is a conflict between certain servers or someone is just curious, there will always be a way to get around authorized fetch. <br>Thats what i meant, that what i saw multiple times. Authorized fetch implies a level of "protection" that isnt really there and never was.<br><br>&gt; But, incremental progress is useful.<br>Yes i agree, in the usual situation thats true. But I would even say that in this context, more damage is being done than problems are being solved. Since authorized fetch is, as far as i know, not a usual feature but something that mastodon invented, how do the countless other softwares out there work with that?<br><br>Even the mastodon config page warns about that:<br><a href="https://docs.joinmastodon.org/admin/config/">https://docs.joinmastodon.org/admin/config/</a><br><br>&gt; Unfortunately, secure mode is not without its drawbacks, which is why it is not enabled by default. Not all software in the fediverse can support it fully, in particular some functionality will be broken with Mastodon servers older than 3.0; you lose some useful functionality even with up-to-date servers since linked-data signatures are used to make public conversation threads more complete; and because an authentication mechanism on public content means no caching is possible, it comes with an increased computational cost.<br><br>&gt; Secure mode does not hide HTML representations of public posts and profiles. HTML is a more lossy format compared to first-class ActivityPub representations or the REST API but it is still a potential vector for scraping content.<br><br>Now back to you:<br>&gt; - agreed that admins could change the settings on follow requests -- although I believe it requires customizing code, so not an option for people using hosted installations (and a hassle for everybody else).<br>That might actually be. I saw this on a server but idk if this requires patching mastodon. But just to mention, that for example, would be much more helpful for the situation we are talking about.</article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2330986#notice-4715863">In conversation</a><time datetime="2023-11-28T17:44:44+09:00" title="Tuesday, 28-Nov-2023 17:44:44 JST">about a year ago</time> <span>from <span><a href="https://blob.cat/objects/2146a42a-d8ae-482f-9185-f019c68130bd" rel="external" title="Sent from blob.cat via ActivityPub">blob.cat</a></span></span><a href="https://blob.cat/objects/2146a42a-d8ae-482f-9185-f019c68130bd">permalink</a><h4>Attachments</h4><ol><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://docs.joinmastodon.org/admin/config/">Configuring your environment</a></h5><div></div></header><div>Setting environment variables for your Mastodon installation.</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
:blobcathug: (jain@blob.cat)'s status on Tuesday, 28-Nov-2023 17:44:44 JST:blobcathug:
in reply to
- The Nexus of Privacy
@thenexusofprivacy
> I certainly didn't mean to imply that authorized fetch is made to supress others talking about something.
I belive you that, and that is not what i fully meant to imply. That whole topic is a bit more complex to just reduce it to that, and i think you know that too.

> Authorized fetch makes blocking more effective.
Nah, i disagree. There is literally nothing that one can stop someone to read someones public posts. It might work for the average user, i give you that, but if there is a conflict between certain servers or someone is just curious, there will always be a way to get around authorized fetch.
Thats what i meant, that what i saw multiple times. Authorized fetch implies a level of "protection" that isnt really there and never was.

> But, incremental progress is useful.
Yes i agree, in the usual situation thats true. But I would even say that in this context, more damage is being done than problems are being solved. Since authorized fetch is, as far as i know, not a usual feature but something that mastodon invented, how do the countless other softwares out there work with that?

Even the mastodon config page warns about that:
https://docs.joinmastodon.org/admin/config/

> Unfortunately, secure mode is not without its drawbacks, which is why it is not enabled by default. Not all software in the fediverse can support it fully, in particular some functionality will be broken with Mastodon servers older than 3.0; you lose some useful functionality even with up-to-date servers since linked-data signatures are used to make public conversation threads more complete; and because an authentication mechanism on public content means no caching is possible, it comes with an increased computational cost.

> Secure mode does not hide HTML representations of public posts and profiles. HTML is a more lossy format compared to first-class ActivityPub representations or the REST API but it is still a potential vector for scraping content.

Now back to you:
> - agreed that admins could change the settings on follow requests -- although I believe it requires customizing code, so not an option for people using hosted installations (and a hassle for everybody else).
That might actually be. I saw this on a server but idk if this requires patching mastodon. But just to mention, that for example, would be much more helpful for the situation we are talking about.
In conversationabout a year ago from blob.catpermalink
Attachments
1. No result found on File_thumbnail lookup.
  Configuring your environment
  Setting environment variables for your Mastodon installation.

Public

Embed Notice

HTML Code

Corresponding Notice