this is wrong, you’re assuming incorrectly. private posts get sent to only intended recipients. pixelfed allows other recipients on the same server to read that. it’s not your instance software, it’s pixelfed, please dont spread misinformation based on uninformed assumptions
Comment on Pixelfed leaks private posts from other Fediverse instances - fiona fokus
PhilipTheBucket@ponder.cat 1 week agoprivate posts are only sent to instances
Well, obviously they’re sent to some other ones, or else this wouldn’t be an issue.
This is a design flaw in the protocol. If your instance is going to send your private posts to other people, they’re not private. The authors need to fix your instance software, not demand that every other software in existence needs to “cooperate” and find out whether they’re “private” and not show them to the users if they are.
iltg@sh.itjust.works 1 week ago
Irelephant@lemm.ee 1 week ago
No, Imagine this
There is @bob@pixelfed.example their is their friend, @joe@mastodon.example. bob also follows @jane@gotosocial.example
If bob makes a private post (ie, followers only), only the instances of people he follows will recieve the post. The instance will see that its supposed to be private, and not show it to everyone.
This may, gotosocial.example, mastodon.example and pixelfed.example have the post, but don’t show it. misskey.example won’t have the post.
Then, if gotosocial.example (hypothetically) had a bug where it ignored posts visibility settings, those posts would be shown, since the post is sent to that server. If misskey.example had a similar bug, nothing would happen as the post wouldn’t have reached that server anyway.
PhilipTheBucket@ponder.cat 1 week ago
Yeah, so there’s no real way to implement private posts on Mastodon.
I mean, it is fine if you want to implement sort of “best effort” semi-privacy and make it clear to everyone involved that that’s what it is, but for any reasonable definition of “private,” the requirement that it not get shown to people outside the list of people allowed to see it needs to be enforced better than this. There will always be server software that doesn’t “cooperate.” That’s just the nature of open distributed systems. If you’re making assurances to your users that their posts will be private, you need to be the one enforcing that, not everyone else on the network and the protocol needs to be set up with the ability for that to happen (which ActivityPub is not, which means it’s misleading that someone told users that they can have “private” posts via this hack.)
Irelephant@lemm.ee 1 week ago
I wouldn’t consider it a hack, as the protocol was actually made with these posts in mind. Public posts weren’t the focus of activitypub.
I would consider it similar to email, should we abandon it (yes, but not because of this) just because a malicious email server started publishing all the emails it recieved? AP is just email but social media.
PhilipTheBucket@ponder.cat 1 week ago
Yes, and people implemented PGP for encrypted email, and also made SMTP over TLS the standard, so that they wouldn’t have to demand that every router and every SMTP server everywhere on the internet agree not to republish or store secret information that was passing through it, because it started to become understood that email was in no way private.
A proper standard for private posts would be similar. You could have all private posts be encrypted with a rotating key, for example, and have them decrypted by anyone who had the key, on the client side, and stored and transmitted in encrypted form. Being approved to follow the private posts would involve your user being given a copy of the key through some kind of private key exchange. It sounds complex (and it would be, a little), and it would involve moving to the client some of the key management that currently happens on the instance server (and thus undoes some of the actually good design of ActivityPub, by just putting the instance software back in the position of keeping every actor’s keys for them and doing all the crypto work on behalf of the users). Anyway, it would be work and involve some redesign. I’m not saying that’s what they should have done. I’m saying that’s what having private posts as a feature would mean. Anything else is non-private posts that are pretending to be private posts.
iltg@sh.itjust.works 1 week ago
email works the same way. it’s impossible to implement private emails? if you cc your email to im.going.to@leak.it and it leaks, would it be fair to complain about the whole email system?
PhilipTheBucket@ponder.cat 1 week ago
discuss.privacyguides.net/t/…/20662