iso@lemy.lol 2 months ago
Does the receiver instance federate that like object to other instances? If not, it is shit for sure.
iso@lemy.lol 2 months ago
Does the receiver instance federate that like object to other instances? If not, it is shit for sure.
SorteKanin@feddit.dk 2 months ago
No, but how could it? Let’s say Feddit.dk receives a Like from mastodon.social. Then Feddit.dk would have to tell the other instances that mastodon.social sent that Like. But how can Feddit.dk prove that the Like actually did come from mastodon.social, i.e. it is not just a fabricated Like that Feddit.dk made up and hid by pretending it came from mastodon.social. That’s not easy.
rglullis@communick.news 2 months ago
The like is an activity. Any activity has an actor. Every actor has a public key. If the activity is sent with a cryptographic signature (like LD signatures, which Mastodon does implement) the any one can verify that the activity is legit.
SorteKanin@feddit.dk 2 months ago
Mastodon explicitly discourages support of LD signatures.
rglullis@communick.news 2 months ago
Discouraged, but still supported. There is also another FEP (forgot the code now) being worked on and implemented by Mitra.
The point is that it is possible for an instance to federate an activity which is not originated by them.
ShittyKopper@lemmy.blahaj.zone 2 months ago
I seriously doubt Lemmy currently does any validation whatsoever. There were communities using this blatant security issue for non-malicious purposes (see endlesstalk.org/c/tails@lemmon.website, which re-wrote posts from people (which is only possible if the posts weren’t validated)).
There is a way to re-share and validate remote activities, either through LD signatures (ew, JSON-LD processing :vomit:) (which only Mastodon and Misskey implement) or the newfangled FEP-8b32 Object Integrity Proofs (which nobody relevant on the microblogging space implements).
SorteKanin@feddit.dk 2 months ago
The reason this is possible is because of the way Lemmy federates activities.
When you on instance A post, comment or upvote something in a community on instance B, your instance sends the activity to instance B, regardless of the instance of who you’re replying to or upvoting. It is sent to the community, and the community then shares it out to all other instances. AFAIK, lemmy does nothing to verify that received content from a community actually comes from the original instance. See here for one of the main Lemmy devs commenting on this..
Is this secure or reasonable? I’m honestly not sure but it doesn’t feel great. Signatures on objects could fix this I think.
ShittyKopper@lemmy.blahaj.zone 2 months ago
Instead of sending the entire object embedded in the activity the secure way would be to only the URI instead. This is permitted by JSON-LD.
In the receiving side, if the object is untrusted (i.e. if it isn’t signed or if it’s from a separate authority from the parent object containing it) it should be thrown away and the id should be fetched from the remote instance directly. This is completely an oversight on Lemmy’s implementation and not a protocol problem.
iso@lemy.lol 2 months ago
You’re right, that’s worse.
finickydesert@lemmy.ml 2 months ago
I mean it could be proven by having every account create a cryptographic key and adding a public key to the vote. Memory might be an issue though.
SorteKanin@feddit.dk 2 months ago
This is in fact how Feddit.dk knows that the Like came from mastodon.social at first. The problem is that the signature is a HTTP Signature which is only associated with the HTTP request that mastodon.social makes to Feddit.dk. It is not on the Like object itself. Thus that signature can’t be transferred to the Like object if Feddit.dk wanted to share it further.
skullgiver@popplesburger.hilciferous.nl 2 months ago
finickydesert@lemmy.ml 2 months ago
So there’s no way for feddit.dk to translate into a Lemmy style upvote?
muntedcrocodile@lemm.ee 2 months ago
So we need to convince the mastodon devs to change it so the signature is on the like object itself.