Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.

  • PeriodicallyPedantic@lemmy.ca
    link
    fedilink
    English
    arrow-up
    0
    ·
    11 months ago

    I’m kind of tired of social networks offering even the pretense of privacy. Just loudly proclaim that everything is public but clients can filter out shit you don’t wanna see.

    • Ada@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      0
      ·
      11 months ago

      That doesn’t work for vulnerable minorities. Manually filtering each shitty person after you step in their shit gets old. Coupled with the fact that not shutting down shitty people just means more shitty people are likely to turn up.

      It’s not sustainable

      • Max-P@lemmy.max-p.me
        link
        fedilink
        English
        arrow-up
        0
        ·
        11 months ago

        I think in this context it’s meant on a technical level: as far as the fediverse is concerned, there’s not a whole lot instances can do. Anyone can just spin up an instance and bypass blocks unless it works on an allowlist basis, which is kind of incompatible with the fediverse if we really want to achieve a reasonable amount of decentralization.

        I agree that we shouldn’t pretend it’s safe for minorities: it’s not. If you’re a minority joining Mastodon or Lemmy or Mbin, you need to be aware that blocking people and instances has limitations. You can’t make your profile entirely private like one would do on Twitter or any of Meta’s products. It’s all public.

        You can hide the bad people from the users but you can’t really hide the users from the bad people. You can’t even stop people from replying to you on another instance. You can refuse to accept the message on the user’s instance, but the other instance can still add comments that don’t federate out. Which is kind of worse because it can lead to side discussions you have no way of seeing or participate in to defend yourself and they can be saying a lot of awful things.

        • ChaosAD@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          arrow-down
          1
          ·
          10 months ago

          You can’t make your profile entirely private like one would do on Twitter or any of Meta’s products.

          Even those are not private.