New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Option to decide for each toot which servers it may be sent to #983

Open
Natanji opened this Issue Apr 5, 2017 · 10 comments

Comments

Projects
None yet
7 participants
@Natanji

Natanji commented Apr 5, 2017

There are a multitude of situations in which you might want certain toots to only be sent to certain other servers. For instance, users might want to exchange sensitive photos (e.g. nudes) via private messages, but this should fail if the other user is on an untrusted instance on which the admin might be malicious and fish out that photo.

It is important that this setting can be different for different toots, because I might want to post publically to the whole fediverse usually, and still have control over my more sensitive data.

In issue #423 there is already the proposal for allowing each user to control which posts they see in their timeline by whitelisting/blacklisting server instances globally for an account; but the proposal does not actually deactivate federation of your own toots towards these instances, as far as I can see.


  • I searched or browsed the repo’s other issues to ensure this is not a duplicate.
@Exagone313

This comment has been minimized.

Exagone313 commented Apr 5, 2017

I don't understand the issue, if you send a private message to a user, it's sent to the user's instance. Unless you use third-party clients that encrypt your sensitive content locally, you can't prevent instance owners to read their database's content (or to provide a false way to encrypt messages server-side).

@yiskah

This comment has been minimized.

Collaborator

yiskah commented Apr 5, 2017

Do not post nudes on Mastodon they are not encrypted and absolutely cannot be guaranteed not to be leaked.

Seriously. The OStatus protocol as a base really cannot be made to protect your nudes

@yiskah

This comment has been minimized.

Collaborator

yiskah commented Apr 5, 2017

The reason they are called "Direct Posts" and not "Private Messages" is because they are by no means private. Just because they don't show up does not mean they are private. Please please please don't use Mastodon DMs for things you wouldn't want a stranger potentially seeing. Use XMPP or Discord or something

@Exagone313

This comment has been minimized.

Exagone313 commented Apr 5, 2017

Discord isn't a good example, it's a proprietary software.

@Natanji

This comment has been minimized.

Natanji commented Apr 6, 2017

Note above that I said "private", not "direct" messages. Private means all my followers can see my toot. But I might have 100 followers and not know exactly on which servers they are. I might want to still only show my sensitive content to those from my own - or a list of trusted - servers. This is e.g. an incredibly important feature for antifascists or other underground groups who want an easy way to communicate, but cannot let their info get into the wrong hands.

Also, I can assure you that "don't use Mastodon for xy" is never going to work. Users share nudes in particular over any kind of communication channel, so you cannot handwave your way out of this, people ARE going to use it for that.

With Twitter or Google, I can trust a huge company to keep my data safe because I know it would be a fucking shitstorm costing them lots of money if any of that data leaked out. With Mastodon, there is nothing comparable. Of course an admin can always recover the data from the database, that is what this is about: trusting specific server admins is the only thing we got.

Since servers encrypt their OStatus communication towards each other via SSL, I don't see why Mastodon cannot protect sensitive data? That is, if users can choose which servers may see my information. Which is what this issue is about.

I'd wager Mastodon should never even offer the possibility for private or direct messages if it isn't going to give users a way to actually keep this information safe, by trusting at least their own server admin.

@yiskah

This comment has been minimized.

Collaborator

yiskah commented Apr 6, 2017

I think this may be something @Gargron should explain. We had a controversy a while back about people posting nudes and sensitive information in private posts and this being a big deal that we wanted to discourage it. The way that Gargron put it "OStatus as a protocol is built for publishing information out into the world, not concealing it."

The data is SSL but it's not End-To-End PGP etc.

If you have activist friends who need to avoid government interception please have them use something like Signal and encrypted XMPP. Not Mastodon. For now, regular private posts always stay local and unless you tag a user on a remote instance will not be delivered off of your server. If you have an instance being use for stuff like this that needs to not widely federate, for now you can use a whitelist system to only federate to servers you trust.

@Natanji

This comment has been minimized.

Natanji commented Apr 6, 2017

In what way is OStatus different from eMail, regarding the privacy considerations? The way I see it, both are transport encrypted but not end-to-end, and in both cases you need to trust the server admin of your own and of the remote server to not look at your data even though they could. Is this any worse on OStatus? If it isn't, well, then we only need to fix what I propose in this issue here: giving you control over which other servers your info can be sent to.

The info that private posts are local is interesting, is the description wrong then? Because it says "Post to followers only" but that kind of implies that all followers are gonna see it, not just local ones.

The downside of Signal is phone numbers, which reveals people's identities easily. The problem of encrypted XMPP is that it's either a mess and not MUC-compatible (OTR), a mess and unusably complicated to maintain (PGP), or not really widely available (OMEMO). And all of those are ways to interact with people you already know, not like Twitter where you slowly grow into a community of like-minded people. Therefore, Mastodon will definitely be used (just like Twitter) for these purposes, so I'd say there should be effort put in to at least make that as safe as possible (and warn users about what Mastodon cannot give them in security).

@yiskah

This comment has been minimized.

Collaborator

yiskah commented Apr 7, 2017

On all that I do agree with you. With private posts we never specified in the UX that they stay local because it's something I guess back then everyone knew and there was only like four instances anyway ^^;; definitely a mistake. In general private posts do need to be reworked to play nicer with federation. I agree that with specifically private posts having a trusted domain list for that instance would be a good system. I also think making privacy limitations clear is really important​ and I'm still uncomfortable with people using Mastodon to disseminate stuff they don't want the government intercepting.

@deutrino

This comment has been minimized.

deutrino commented Nov 15, 2017

This sounds like a great deal of implementation complexity for very little gain. People may abuse a platform for use cases for which it is ill-suited. In that situation, it's not the platform that's the problem.

abcang added a commit to pixiv/mastodon that referenced this issue Apr 17, 2018

@Cassolotl

This comment has been minimized.

Cassolotl commented May 26, 2018

Related to custom federation levels (at the very least, for private posts) #712.

@Gargron Gargron added suggestion and removed enhancement labels Oct 20, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment