Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.

  • heavy@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    0
    ·
    11 months ago

    I agree with you, however there are issues with not just privacy but also authenticity. I should be able to post as me, even in public, and have a way to prove it. Nobody else should be posting information as me, if that makes sense.

    • 0x1C3B00DA@kbin.social
      link
      fedilink
      arrow-up
      0
      ·
      11 months ago

      Sure, but that’s already solved on the fediverse by using HTTP Signatures and isn’t related to Authorized Fetch.

      • heavy@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        0
        ·
        11 months ago

        I meant to say generally, for folks that might read this comment and think problems surrounding the platform and security are solved.

    • rglullis@communick.news
      link
      fedilink
      English
      arrow-up
      0
      ·
      11 months ago

      For that, we should start bringing our own private keys to the server, instead of trusting the server to control everything.

      And if we start doing that, pretty soon we will end up asking ourselves why do we need the server in the first place, and we will evolve to something like what nostr is doing.

      I’m all for it.