Privacy

31181 readers

423 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago

MODERATORS

[email protected]

Authorized Fetch Circumvented by Alt-Right Developers (wedistribute.org)

submitted 8 months ago by [email protected] to c/[email protected]

2 comments fedilink hide all child comments

A controversial developer circumvented one of Mastodon's primary tools for blocking bad actors, all so that his servers could connect to Threads.

We’ve criticized the security and privacy mechanisms of Mastodon in the past, but this new development should be eye-opening. Alex Gleason, the former Truth Social developer behind Soapbox and Rebased, has come up with a sneaky workaround to how Authorized Fetch functions: if your domain is blocked for a fetch, just sign it with a different domain name instead.

Gleason was originally investigating Threads federation to determine whether or not a failure to fetch posts indicated a software compatibility issue, or if Threads had blocked his server. After checking some logs and experimenting, he came to a conclusion.

“Fellas,” Gleason writes, “I think threads.net might be blocking some servers already.”

What Alex found was that Threads attempts to verify domain names before allowing access to a resource, a very similar approach to what Authorized Fetch does in Mastodon.

You can see Threads fetching your own server by looking at the facebookexternalua user agent. Try this command on your server:

grep facebookexternalua /var/log/nginx/access.log

If you see logs there, that means Threads is attempting to verify your signatures and allow you to access their data.

all 3 comments

sorted by: hot top controversial new old

[–] [email protected] 6 points 8 months ago

Troll circumvents rarely used Fedi privacy feature that was being abused by Facebook to preserve their walled garden.

Hopefully this causes the authenticated fetch to be redesigned.