Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.

  • sj_zero@lotide.fbxl.net
    link
    fedilink
    arrow-up
    6
    arrow-down
    1
    ·
    10 months ago

    Seriously. Bobthenazi could just go to an aligned server and make an account Bobthenotzi and boom – perfectly able to follow whoever he wants.

    • rglullis@communick.news
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      10 months ago

      One more reason to argue that we should drop the idea of “aligned” servers and that we are moving to a future where it is better to charge (small) amounts from everyone instead of depending on (large) donations from a few.

      • sj_zero@lotide.fbxl.net
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        10 months ago

        Ideally, a distributed fediverse wouldn’t need much in terms of donations because it’s a bunch of small instances instead of a few huge ones.

        • rglullis@communick.news
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          10 months ago

          Not the point. The point that instances that are open for everyone will be open for bad actors as well.

          If the mere act of signing up to an instance requires a small payment, you are automatically preventing the absolute majority of spammers, “spray and pray” scammers and channer trolls.