Federation makes it very easy to accidentally mislead users about the security of a system and I wish people building federated systems would be more careful of this.
-
Federation makes it very easy to accidentally mislead users about the security of a system and I wish people building federated systems would be more careful of this.
For example, here there are ‘follower-only’ posts. The user perception is simple: only your followers can see your posts. But that’s never enforced by the technology for any system that doesn’t use end-to-end authenticated encryption. In a centralised system, you trust that the service provider doesn’t look at these messages. When it’s ad supported and has a two-hundred page privacy policy, that trust is probably misplaced, but there’s only one place to audit.
In a federated system, any of your followers’ admins can potentially see these messages. Maybe you get all of your followers, but do you vet everyone with admin access on their instance?
Confidentiality in federated systems is really hard to do right. And message confidentiality is the easy part, keeping the connection graph confidential is even harder (that matters less for the Fediverse, but can get people killed if you get it wrong for messengers) and really needs designing in from the start. There are a few interesting projects that are trying to do this but don’t assume that it’s a thing that can be retrofitted to a protocol that was not designed with a different threat model.
-
Federation makes it very easy to accidentally mislead users about the security of a system and I wish people building federated systems would be more careful of this.
For example, here there are ‘follower-only’ posts. The user perception is simple: only your followers can see your posts. But that’s never enforced by the technology for any system that doesn’t use end-to-end authenticated encryption. In a centralised system, you trust that the service provider doesn’t look at these messages. When it’s ad supported and has a two-hundred page privacy policy, that trust is probably misplaced, but there’s only one place to audit.
In a federated system, any of your followers’ admins can potentially see these messages. Maybe you get all of your followers, but do you vet everyone with admin access on their instance?
Confidentiality in federated systems is really hard to do right. And message confidentiality is the easy part, keeping the connection graph confidential is even harder (that matters less for the Fediverse, but can get people killed if you get it wrong for messengers) and really needs designing in from the start. There are a few interesting projects that are trying to do this but don’t assume that it’s a thing that can be retrofitted to a protocol that was not designed with a different threat model.
@david_chisnall Noted. When I finally get around to creating my ICQ-as-Fediverse-DMs, I'm going to ROT13 the heck out of it.
-
Federation makes it very easy to accidentally mislead users about the security of a system and I wish people building federated systems would be more careful of this.
For example, here there are ‘follower-only’ posts. The user perception is simple: only your followers can see your posts. But that’s never enforced by the technology for any system that doesn’t use end-to-end authenticated encryption. In a centralised system, you trust that the service provider doesn’t look at these messages. When it’s ad supported and has a two-hundred page privacy policy, that trust is probably misplaced, but there’s only one place to audit.
In a federated system, any of your followers’ admins can potentially see these messages. Maybe you get all of your followers, but do you vet everyone with admin access on their instance?
Confidentiality in federated systems is really hard to do right. And message confidentiality is the easy part, keeping the connection graph confidential is even harder (that matters less for the Fediverse, but can get people killed if you get it wrong for messengers) and really needs designing in from the start. There are a few interesting projects that are trying to do this but don’t assume that it’s a thing that can be retrofitted to a protocol that was not designed with a different threat model.
@david_chisnall It's the same with private messages in the Fediverse (but you get warnings that it's not secure.)
I write in social media only what I would say in public on a marketplace or in a newspaper.
For everything more private, people should use secure messengers! -
@david_chisnall Noted. When I finally get around to creating my ICQ-as-Fediverse-DMs, I'm going to ROT13 the heck out of it.
@mhd @david_chisnall You may therefore find this humorous: https://people.freebsd.org/~bms/humour/
-
Federation makes it very easy to accidentally mislead users about the security of a system and I wish people building federated systems would be more careful of this.
For example, here there are ‘follower-only’ posts. The user perception is simple: only your followers can see your posts. But that’s never enforced by the technology for any system that doesn’t use end-to-end authenticated encryption. In a centralised system, you trust that the service provider doesn’t look at these messages. When it’s ad supported and has a two-hundred page privacy policy, that trust is probably misplaced, but there’s only one place to audit.
In a federated system, any of your followers’ admins can potentially see these messages. Maybe you get all of your followers, but do you vet everyone with admin access on their instance?
Confidentiality in federated systems is really hard to do right. And message confidentiality is the easy part, keeping the connection graph confidential is even harder (that matters less for the Fediverse, but can get people killed if you get it wrong for messengers) and really needs designing in from the start. There are a few interesting projects that are trying to do this but don’t assume that it’s a thing that can be retrofitted to a protocol that was not designed with a different threat model.
@david_chisnall This brings memories flooding back of the NIST (NSA) related multicast group key distribution drafts from the late 90s.
-
@david_chisnall It's the same with private messages in the Fediverse (but you get warnings that it's not secure.)
I write in social media only what I would say in public on a marketplace or in a newspaper.
For everything more private, people should use secure messengers!I agree. I don't use follower-only posts because I don't think that there's any real restriction in distribution once you have more than a couple of dozen followers on different instances. It might have some benefits for reducing harassment, but only against not-very-motivated individuals. But that's not how it's described
-
R relay@relay.publicsquare.global shared this topic
