New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Impersonation via other Mastodon instances aka fake accounts #913

Closed
Kovah opened this Issue Apr 5, 2017 · 37 comments

Comments

Projects
None yet
@Kovah

Kovah commented Apr 5, 2017

Mastodon looks great, however I have a concern regarding impersonation done by individuals via other instances.
What I mean is: I have one Mastodon account (@Kovah in my case) I'm using and that is really my own. It's me who is wrting from that account. But any individual is able to create a second account with my username and do whatever he wants to do. Publishing false information is one of the harmless things here. Just think about illegal stuff, insulting other users and so on.

I already read about verification and that there are no plans to implement it. Also, there is no check in the registration for that username on other instances. Two profiles with the same username are not linked in any way.
Even if I add a link to my original account on my own website this doesn't prevent any actions that may hurt me as a person or my business. Because strangers that get contacted by that fake account won't try to search for my website to verify that it's really me who's writing.

To prevent this I have to create an account with my handle on every instance. I'm sure this is not wanted so I wanted to ask what the developers think about this issue. This is already a big and very serious issue with existing social networks and I hope there is any will to solve or limit it.

Related issue: #220

@lmorchard

This comment has been minimized.

Contributor

lmorchard commented Apr 5, 2017

I think this will run into "feature not bug" arguments. You don't have @kovah as your handle - you have @kovah@mastodon.social and there's no way to enforce that @kovah prefix on any other site on the whole federated network.

@Kovah

This comment has been minimized.

Kovah commented Apr 5, 2017

Hmm maybe you could clarify what exactly you mean with that prefix or maybe I miss something..

The thing is that I have a primary account https://social.tchncs.de/@Kovah where @Kovah is my username. However, I was able to register another account at https://social.targaryen.house/@Kovah where the username also is @Kovah. I can copy the profile picture and bio and now other users can't distinguish between both accounts. The URLs differ but how should someone tell which is the original account and which one is a fake one?

@kennethlarsen

This comment has been minimized.

kennethlarsen commented Apr 5, 2017

Think of it like an email account. You can register kovah@gmail.com but that doesn't keep anyone from registering kovaħ@hotmail.com. It's the same thing on Mastodon so I'd say this is a feature not a bug. However I suspect this is something that will become a greater discussion in the future where perhaps some sort of validation or extra moderation will be helpful.

@faxe78

This comment has been minimized.

faxe78 commented Apr 5, 2017

I think what maybe needs to be done to make the instancing stuff clearer and more visible, so that it becomes common knowledge that there are instances and user accounts are not connected, something like to show the complete username + instance in a post.

@pixeldesu

This comment has been minimized.

pixeldesu commented Apr 5, 2017

@faxe78 or maybe already show the full handle even on a local instance profiles, so people probably grasp the concept a bit faster.

@RaitoBezarius

This comment has been minimized.

RaitoBezarius commented Apr 5, 2017

But, I think there should be a mechanism to report scammers / impersonators.

Even if it's a user-built database of handles, email works the same: they have anti-spam.

We should also have anti-impersonator, but how can we build that? Is it in Mastodon? Is it a separate application / bot which connects to Mastodon through API and collect data?

@pixeldesu

This comment has been minimized.

pixeldesu commented Apr 5, 2017

A centralized service in a decentralized system is the wrong approach.

We need to teach people how the system works, not build a system that breaks the terminology. What is the use of a "verified user" database if the user themselves can tell you, from another verified source outside the fediverse, which account on what instance they are using?

Otherwise, instance admins should probably add a contact or abuse report email to their about pages, for cases like this. Locally, instances already have a report-system.

@mahnouel

This comment has been minimized.

mahnouel commented Apr 5, 2017

Some sort of reputation could verify people. Each instance can verify someone, and if 80% of the other instances verified you - you get a tick or something like that

Or maybe a score could be calculated of the creation date + activity + trust value by the instance itself

@kennethlarsen

This comment has been minimized.

kennethlarsen commented Apr 5, 2017

It might also be worth looking into how keybase.io does verification. Here you're able to verify your keybase profile using your PGP key as well as verifying with other accounts like Github (using a signed Gist), Twitter (using a tweet) etc.

But I guess the key here is that impersonating other users should not be allowed and therefore it should be easy to report. A verified account does not change the fact that I can impersonate you it just makes sure that if a user finds your profile first she is fairly sure that you are who you say you are. It does not remove the other impersonators.

@pixeldesu

This comment has been minimized.

pixeldesu commented Apr 5, 2017

It might also be worth looking into how keybase.io does verification. Here you're able to verify your keybase profile using your PGP key as well as verifying with other accounts like Github (using a signed Gist), Twitter (using a tweet) etc.

Well, if someone can bother Keybase enough to add a verification for Mastodon (or, to be fair, general OStatus implementations), this could work out.

impersonating other users should not be allowed

You can put that up as a rule, but this is an open federation, so try getting that through on all of the hundreds of OStatus servers that exist already.

@Kazhnuz

This comment has been minimized.

Contributor

Kazhnuz commented Apr 5, 2017

I also think that a keybase-like verification with a chain of trust is the best idea to have a way to verify account. We could verify ourselves as the same people behind several account and website, and they would be showed on the profile. Maybe that the "proof" code of keybase.io is enough reusable to use it in Mastodon ? IDK. For keybase, it could be possible that someone who know coffescript enough do it, as there is a repo for the proof system : https://github.com/keybase/proofs

Maybe some icon could also be shown for users without any "confirmed indentities", and that we could choose to show an "icon + identity verified" below the Pseudo + Mastodon handle string. (or maybe even both ?) For instance, I could have my handle then below there would something like "[website_icon] kazhnuz.space (show verification)", in order to add a clues about who I am.

@pixeldesu

This comment has been minimized.

pixeldesu commented Apr 5, 2017

@Kazhnuz this idea is entirely different. Mastodon should not be the service to handle our verifications, not federated nor a single instance.

What people here want is to be verified that they are that specific user on that specific instance. If Keybase adds support for OStatus services and we could post a proof like we can already do on Twitter, etc. people can use their Keybase profile to verify themselves if they ever need to.

We should not lay verification in the hands of the federation.

@alerque alerque referenced this issue Apr 5, 2017

Open

Adding GPG for verified toots #928

1 of 1 task complete
@Kazhnuz

This comment has been minimized.

Contributor

Kazhnuz commented Apr 5, 2017

I thought that the questions are a bit related, as there would be an "outside" information that would separate the real account and the fake account. Also, it is a bit how I understood what @kennethlarsen said... x) But my english isn't always perfect, so I could be totally wrong :) That's also what was my main idea behind what I said, as it would provide a great way to differenciate my account from a potential impersonation.

And maybe you're totally right about that the verification service should not be inside Mastodon… But I still think that showing a "verified" outside information (for instance a keybase account if it verified the mastodon account ?) as a way of identify the account directly below the pseudo would make it way harder for impersonation to happen. It would make it even a bit harder to happen than on twitter, no (for people who don't have a "verified account" on twitter, at least) ?

@Abzol

This comment has been minimized.

Contributor

Abzol commented Apr 5, 2017

We had some passing discussion about verifying yourself as the owner of a linked domain name in a (non-current) URL field in the user profile - i.e. you'd link your personal domain and verify yourself through that.

@exadeci

This comment has been minimized.

exadeci commented Apr 6, 2017

@Kazhnuz If Keybase adds Mastodon to the possible identities a basic way of doing it
could be by extracting the proof_url from a lookup https://keybase.io/_/api/1.0/user/lookup.json?twitter=Kazhnuz and checking that the instance and user match with the user requesting the verification.

@cryptomarauder

This comment has been minimized.

cryptomarauder commented Apr 6, 2017

incorporate a trust level where ident can be corroborated by others and make it robust. could perhaps even do link corroboration and live vid too. ;)

@gouessej

This comment has been minimized.

gouessej commented Apr 6, 2017

I agree with @faxe78 , just keep it simple and make the instancing stuff clearer in order to avoid any confusion between several users with the same username but on different instances, it's enough to differentiate an account from an attempt of impersonation. Don't try to think in a decentralized system exactly as you were in a centralized one. mastodon.social shouldn't be the gatekeeper of all instances, it would make no sense to me. I left Twitter several years ago, don't imagine a verification system only for Twitter users, allowing a user of a specific instance to consolidate her/his profile with GPG or something similar looks good in my humble opinion. At the end, it's up to the person(s) liable for an instance to handle this kind of trouble, for copyright infringement, privacy invasion, disparagement / defamation and violation of image rights / publicity rights too.

@foozmeat

This comment has been minimized.

Contributor

foozmeat commented Apr 6, 2017

It's currently possible to toot a signed keybase/pgp message that which would create a point-in-time verification (your full @username@server address needs to be in the message). If there was a profile field (or a longer bio) that was long enough to drop the signed message into, you could declare your ownership in a way that's verifiable and de-centralized. This would raise the bar on casual account impersonation. See https://mastodon.social/@rustyk5/1790939 as an example.

edit:
I just want to add my $0.02 that while reputation systems maybe be fun to design there is a burning need to add features/fix bugs as quickly as possible to mastodon in order to keep people on the network. I would advocate for simple over clever for the near-term. Heck, we still can't even explain plainly how the network works to the uninitiated.

@offbyone

This comment has been minimized.

offbyone commented Apr 7, 2017

I'm interested in this, but from a slightly different angle than the original submitter (and in line, I think, with some people who've commented): I would like to be able to point to >1 account on different instances and assert that they're all "me" for a definition of "me" that I choose. I like my handle on mastodon.social, and if I end up creating an account elsewhere I'd like to have that association encoded. I think that finding some way to collaborate with distributed identity services like Keybase is worth looking into, assuming they add support for gnu.social services (which looks plausible).

Maybe a simpler approach would be to add a field to accounts that allow them to forward-reference other accounts and claim them, which makes the verification process a matter of ensuring both accounts mutually verify.

@pixeldesu

This comment has been minimized.

pixeldesu commented Apr 7, 2017

@offbyone why would you own different accounts on multiple instances though?

just owning to lock the name is not the sense of it, so...why do you need multiple accounts when you can just follow anyone over the network?

I don't know how you guys manage this, but I already have trouble managing a handful of Twitter accounts. 😛

@offbyone

This comment has been minimized.

offbyone commented Apr 7, 2017

"Why do you do something different from me" is not really a useful piece of feedback :) Let's just go with "I want to" and work from there.

@coderobe

This comment has been minimized.

coderobe commented Apr 7, 2017

Right, but don't do discouraged things that you know cause problems and then go whine about it on the project repo lol

@mahnouel

This comment has been minimized.

mahnouel commented Apr 7, 2017

@coderobe

This comment has been minimized.

coderobe commented Apr 7, 2017

You can always have multiple accounts if you want to, this is not the point

You can still link to them on your {website, other accounts, keybase (soon probably), twitter, other social networks} - you don't need a special feature for edge-cases like this.

@pixeldesu

This comment has been minimized.

pixeldesu commented Apr 7, 2017

I think the best solution just would be verifying ourselves over services like Keybase, they probably hinted at possibilities that OStatus sites might get some sort of verification.

Every other suggested way of verifying does not make a lot of sense.

To verify who I am, I should not need to...

  • ...rely on a central entity in the federation (as in a Mastodon or GS instance)
  • ...have to create multiple accounts on different instances to verify myself with cross-references
  • ...put the verification in the hand of an instance (e.g. turning Mastodon in a mini-keybase)

Besides verification over Keybase it really needs to be made clearer to users that their name is only unique in the context of the instance they are on. As others already said in this thread we should show the full handle as often as possible (or when it is not obstructing the user experience).

@Spunkie

This comment has been minimized.

Spunkie commented Apr 7, 2017

@pixeldesu I'm a little confused, what is the actual usage of keybase in mastodon being proposed here? Like could you give an example of how a normal auth through keybase would look to a mastodon user and how it would solve the bullet points you listed?

Also, if one of the questions being asked here is simply how does one instances(inst9) verify a new user as being the same user on another instance(inst0). A much simpler solution for this is a basic oAuth setup.

  1. The guest on inst9 says I'm userA@inst0 let me use your instance as userA@inst0
  2. inst9 opens an oauth window that loads userA@inst0
  3. In the window inst0 asks the user to login as userA
  4. The user logs in successfully
  5. inst0 sends a response to inst9 saying that yes this is userA@inst0 and here is a token to prove it in further communication
  6. The window closes, and the user is now authed as userA@inst0 on inst9

This goes against your 3rd bullet point but I'm not really sure why this setup would be considered bad?

@lmorchard

This comment has been minimized.

Contributor

lmorchard commented Apr 7, 2017

why would you own different accounts on multiple instances though?

just owning to lock the name is not the sense of it, so...why do you need multiple accounts when you can just follow anyone over the network?

@pixeldesu Two things: 1) Different instances will have different communities & flavors, and so you may want to participate differently in different places. 2) Some instances will choose not to federate with the larger network, and so you will not be able to just follow anyone over the network.

@coderobe

This comment has been minimized.

coderobe commented Apr 7, 2017

You can already participate in different places using the same account, that's the point of a federated system

@lmorchard

This comment has been minimized.

Contributor

lmorchard commented Apr 7, 2017

You can already participate in different places using the same account, that's the point of a federated system

Like I just said: 1) Maybe you don't want to participate with an account from another instance and 2) Maybe that instance doesn't want you to participate with an account from another instance. Federation is an option, not an absolute.

@pixeldesu

This comment has been minimized.

pixeldesu commented Apr 7, 2017

@Spunkie if you use the federation to verify yourself, anyone else could verify themselves as you for x amount of instances.

You post a proof on your account, which is usually like

I verify that I'm @pixeldesu@mastodon.social on Mastodon

[some hash value here]

Keybase will check your account if that post with the hash exists, and so you are verified to your Keybase account.


Sure, you won't have a verification on Mastodon itself, but once required that you need to verify yourself, for example abuse reports of your name on other instances, you can use your Keybase account for this.

Simple as that.

@coderobe

This comment has been minimized.

coderobe commented Apr 7, 2017

And on top of that, doing it the way @pixeldesu described it allows everyone to independently verify your account and link different verifications (possibly on other services) back to this one and your cryptographic private key, there's no need for a centralized verification system.

This signature is cryptographically secure and there are no known ways to feasibly forge one.

@nathanvda

This comment has been minimized.

nathanvda commented Apr 7, 2017

Most commenters here do not seem to get the actual problem. If we want to create a safe environment, then impersonation has to be recognised as a problem/harassment technique and handled accordingly.

So for starters: yes, the "domain" or mastodon server should be more explicit be a part of your handle. There is no need to register your handle on every server.

BUT impersonation is an actual problem, what if someone copies my handle, my profile picture, my profile description and only altering small thing (e.g. I and l --capital i and lower case L are indistinguishable on many platforms) and then this fake account starts tooting things that do not align with my viewpoints but will appear to be mine. We know this happens on twitter, that is why verified accounts exist.

I am not entirely sure how we can handle this:

  • can a user "report" an account as an impersonator? Who reports first? Is there some kind of inherent "karma/credibility" (the oldest account, the most followers, history, ...)
  • if it is a local account, my local administrator/moderator can decide which account is malicious and delete it?
  • what if the account exists on another mastodon server, and this administrator is malicious? we can blacklist the server but this actually does not take away the problem.

In this case a centralized space to check and verify identities could/would make life a lot easier. Imho this is very hard to solve in a federated world.

@pixeldesu

This comment has been minimized.

pixeldesu commented Apr 7, 2017

@nathanvda

  • on a local environment, your handle is unique
  • in the federation, your handle is unique
  • if there is another user with the same handle on another instance, with malicious intentions, report them to the instance admin using the contact address in /about/more

The centralized entity for verification would be Keybase, that's exactly what it does.

Read my post from above about how Keybase verification would work, that also works with verifying yourself on as many instances as you want.

Most of you are creating a problem that does not exist. I can guess most of you here, complaining about the need of verification, don't have a blue checkmark on their Twitter profiles. You are not even people of public interest. Who would want to target specifically you and impersonate you?

As said, Keybase is the way to go, let's hope we see some efforts from them coming in soon. It is centralized and could be used to verify you on multiple instances.

@coderobe

This comment has been minimized.

coderobe commented Apr 7, 2017

And whilst Keybase may be centralized, everyone can verify the proofs without a middleman like keybase as well. So if Keybase goes down, goes malicious, or anything else - your validations are still there, valid, and cryptographically sound.

@Oceanity

This comment has been minimized.

Oceanity commented Apr 7, 2017

I'd definitely be down for an option to authorize another account (Twitter, YouTube, etc.) to prove ownership and link back to Mastodon as a makeshift form of verification, maybe with the ability to add an account to your Toots so people can easily see you are who you say you are.

Obviously this isn't great for people who don't want another account, but as an optional feature it'd be an easy way to have some layer of protection against impersonation.

I also think something that would help prevent impersonation at the Federated level is to make the name of the instance a user is on a bit more visible, as currently it is generally cut off until you view the user's profile. This could be accomplished the same way as the verified account display without being too intrusive.

@ajroach42

This comment has been minimized.

ajroach42 commented Apr 7, 2017

@pixeldesu "Who would want to target specifically you and impersonate you?"
Abusers.

Many mastodon users are marginalized folks. Abusers impersonating trusted community members can be an issue.

@wxcafe

This comment has been minimized.

Contributor

wxcafe commented Apr 13, 2017

This is not something that can be fixed by mastodon (the proposition to make the name of the instance more visible can be opened in another issue, and all the other suggestions are basically to use another service and identify there). Therefore, I'm closing this issue

@wxcafe wxcafe closed this Apr 13, 2017

@ghost ghost referenced this issue Jun 30, 2017

Closed

PGP Support #4007

1 of 2 tasks complete

abcang added a commit to pixiv/mastodon that referenced this issue Mar 12, 2018

@joyeusenoelle joyeusenoelle referenced this issue Aug 19, 2018

Closed

Verified users #8276

1 of 1 task complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment