Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.

you are viewing a single comment's thread
view the rest of the comments

[–] rglullis@communick.news 124 points 11 months ago* (last edited 11 months ago) (35 children)

Repeat after me: anything I write on the internet should be treated as public information. If I want to keep any conversation private, I will not post it in a public website.

[–] heavy@sh.itjust.works 26 points 11 months ago (20 children)

I agree with you, however there are issues with not just privacy but also authenticity. I should be able to post as me, even in public, and have a way to prove it. Nobody else should be posting information as me, if that makes sense.

[–] ttmrichter@lemmy.world -1 points 11 months ago (3 children)

Clear sign every post using a third-party application. Make your public keys known far and wide. Authenticity solved.

[–] Natanael@slrpnk.net 5 points 11 months ago (2 children)

And now we're dealing with key management instead

[–] ttmrichter@lemmy.world 2 points 11 months ago

You always need key management if you have decentralized authentication.

[–] ttmrichter@lemmy.world 0 points 11 months ago

You always need key management if you have decentralized authentication.

load more comments (16 replies)

load more comments (30 replies)