Yeah this just sounds like one of the drawbacks of a federated system. In order for people on remote servers to be able to see your “private” posts, your local server has to feed that info to them and trust them to handle it appropriately.
Comment on Pixelfed leaks private posts from other Fediverse instances - fiona fokus
LambdaRX@sh.itjust.works 4 weeks ago
I wouldn’t call it Pixelfed’s vulnerablility, but a reminder that nothing on Fediverse is private. Even if Pixelfed is fixed, someone can create rogue instance to read other’s private posts.
Ulrich@feddit.org 4 weeks ago
queermunist@lemmy.ml 4 weeks ago
Wait, are new instances federated by default?
I thought admins had to choose who they were federated with.
RobotToaster@mander.xyz 4 weeks ago
There’s easily over a thousand fediverse instances at this point, having to whitelist them all would be impractical.
queermunist@lemmy.ml 4 weeks ago
Okay but this demonstrates why defaulting to federation is a bad idea, doesn’t it?
melmi@lemmy.blahaj.zone 4 weeks ago
The issue is that if you don’t default to federation, it becomes essentially impossible for new instances to join the fediverse. A potential new instance would have to go around to every single existing instance and ask to be allowlisted, which is onerous for both the new instances and for the large server admins who would be getting tons of requests. It would also essentially kill selfhosting as a result.
lambalicious@lemmy.sdf.org 4 weeks ago
The entire point of the fediverse is to federate. Not federating by default kills discoverability and the potential for discoverability among other things
RobotToaster@mander.xyz 4 weeks ago
It demonstrates that nothing on the fediverse is private, and bad hacks that pretend otherwise are a terrible idea.
Microw@lemm.ee 4 weeks ago
Imo it demonstrates that for certain threat models the fediverse simply doesn’t have the 100% secure answers.
AwesomeLowlander@sh.itjust.works 4 weeks ago
Defaulting to not federating is what the major email providers currently do, and is why email has now become a centralised service that you cannot practically self host.
Irelephant@lemm.ee 4 weeks ago
private posts are only sent to instances that either your followers or the list of people you want to see the post are on. If they all co-operate, you will be fine.
surewhynotlem@lemmy.world 4 weeks ago
if they all cooperate
Gonna stop you right there
Irelephant@lemm.ee 4 weeks ago
Its like email, an email server can decide to expose everyone’s emails to the public, so don’t add that email to your mailing list or email chain.
surewhynotlem@lemmy.world 4 weeks ago
100% yes. But I think people also drastically overestimate the chain of trust within email. Never send anything over email that you don’t want going all over the place.
PhilipTheBucket@ponder.cat 4 weeks ago
private posts are only sent to instances
Well, obviously they’re sent to some other ones, or else this wouldn’t be an issue.
This is a design flaw in the protocol. If your instance is going to send your private posts to other people, they’re not private. The authors need to fix your instance software, not demand that every other software in existence needs to “cooperate” and find out whether they’re “private” and not show them to the users if they are.
Irelephant@lemm.ee 4 weeks ago
No, Imagine this
There is @bob@pixelfed.example their is their friend, @joe@mastodon.example. bob also follows @jane@gotosocial.example
If bob makes a private post (ie, followers only), only the instances of people he follows will recieve the post. The instance will see that its supposed to be private, and not show it to everyone.
This may, gotosocial.example, mastodon.example and pixelfed.example have the post, but don’t show it. misskey.example won’t have the post.
Then, if gotosocial.example (hypothetically) had a bug where it ignored posts visibility settings, those posts would be shown, since the post is sent to that server. If misskey.example had a similar bug, nothing would happen as the post wouldn’t have reached that server anyway.
PhilipTheBucket@ponder.cat 4 weeks ago
Yeah, so there’s no real way to implement private posts on Mastodon.
I mean, it is fine if you want to implement sort of “best effort” semi-privacy and make it clear to everyone involved that that’s what it is, but for any reasonable definition of “private,” the requirement that it not get shown to people outside the list of people allowed to see it needs to be enforced better than this. There will always be server software that doesn’t “cooperate.” That’s just the nature of open distributed systems. If you’re making assurances to your users that their posts will be private, you need to be the one enforcing that, not everyone else on the network and the protocol needs to be set up with the ability for that to happen (which ActivityPub is not, which means it’s misleading that someone told users that they can have “private” posts via this hack.)
iltg@sh.itjust.works 4 weeks ago
this is wrong, you’re assuming incorrectly. private posts get sent to only intended recipients. pixelfed allows other recipients on the same server to read that. it’s not your instance software, it’s pixelfed, please dont spread misinformation based on uninformed assumptions
iltg@sh.itjust.works 4 weeks ago
if you deliver a letter to your cousin, and they leak it to all their friends, is it the post system’s fault? instances federate by default, but private posts require actual intention. if i make a private post, explicitly mark it as private, deliver it to your instance and then your instance leaks it, i’d blame the instance, not the system. even signal can leak if you send your stuff to unintended parties.
someone can create a rogue instance
you shouldn’t send private stuff to unreliable parties. big software and big instances have a reputation, and it’s constantly up to you whether sending them something or not. when @sus@totally.legit follows you, check where they’re from. if you just accept follows left and right, are your followers-only posts really private? and if you direct message someone on some sketchy instance, you still need to trust them to respect your privacy. it’s the same on signal, e2ee doesn’t make a difference
this is why i completely blame pixelfed here: it breaks trust in transit and that’s unacceptable because it makes the system untrustworthy. you can get followed by sketchy people on mastodon.social and they will only see what you send them. in this case, other people can see what you post, regardless of you sending it to them or not, and regardless of the target leaking it or not
melmi@lemmy.blahaj.zone 4 weeks ago
I kinda of lean towards the idea of “private posts” being a bad idea as a result, just because it creates a false sense of security.