Comment on How feasible would it be to host Mastodon, Pixelfed, Lemmy, Friendica, or Matrix over Tor/I2P?
SlurpingPus@lemmy.world 2 days agoThe server to server protocol has a bunch of assumptions that are not true for tor and i2p.
Could you please elaborate just a bit? I’m a web dev, but haven’t looked into fediverse protocols yet.
ViatorOmnium@piefed.social 2 days ago
One example is HTTP signatures. Servers sign their payloads and receiving servers should validate not just the hash but ensure the payload is not too old. Mastodon allows for a twelve hour difference (https://docs.joinmastodon.org/spec/security/#http-signatures) but other software might be stricter for security reasons. The a bunch of things like webfinger were designed around public dns and public key chains A mastodon server running on the open internet and/or expecting public keychain HTTPs will not be able to federate with something running in tor.
You could cut enough corners to make something that federates inside tor, but at that point it’s better to design something around tor’s features.
SlurpingPus@lemmy.world 2 days ago
Why is it the first time I hear of this?
ViatorOmnium@piefed.social 2 days ago
https://www.w3.org/wiki/ActivityPub/Primer/Authentication_Authorization mentions HTTP signatures since the very first version of the document in 2017. The current efforts seem more in the direction of describing standardizing the existing usage.