Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
hachyderm.io is one of the many independent Mastodon servers you can use to participate in the fediverse.
Hachyderm is a safe space, LGBTQIA+ and BLM, primarily comprised of tech industry professionals world wide. Note that many non-user account types have restrictions - please see our About page.

Administered by:

Server stats:

8.9K
active users

hachyderm.io: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Public
Hrefna (DHC)

Your irregular reminder that this problem of not owning your social media accounts applies to the AP-based fediverse as a whole as well.

ATP is much better in this aspect than we are here, in truth, so if this is something you care about that's an element to consider.
infosec.exchange/@josephcox/11

Infosec ExchangeJoseph Cox (@josephcox@infosec.exchange)New: Musk's X filed a highly unusual objection in The Onion's bid to buy InfoWars, arguing that X has “superior ownership” of all accounts on X and shouldn't be given to The Onion. A stark reminder you do not own your social media accounts, political move https://www.404media.co/xs-objection-to-the-onion-buying-infowars-is-a-reminder-you-do-not-own-your-social-media-accounts/
Public
Sam Sneddon 🏳️‍⚧️

@hrefna To ask a maybe silly question: I thought AP’s use of HTTP Signatures meant the messages, including the domain of the account, were tied to WebPKI? Of course this absolutely doesn’t stop someone from running an AP server from totally ignoring the signatures (and, e.g., substituting other content), which is maybe the actual threat here?

Public
Hrefna (DHC)

@gsnedders A few things are important here, the first of which is that HTTP Signatures aren't part of AP at all ^^

So since it is orthogonal both the use of signatures and how we use them are more localized server design choices than something intrinsic to AP

Second: the signature is non-forwardable and the key is owned by the server, not by the user. It isn't the domain of the _account_ that is controlling, it is the domain of the server, which "owns" the account and can act on its behalf.

Public
Amber

@hrefna@hachyderm.io @gsnedders@glauca.space AP mandates HTTPS though right? It's more of we use HttpSignature because it's already there but nothing is forcing us to use it as a way of verifying things. we have things like json-ld signing. (I've seen signed activities they're cool)

Public
Hrefna (DHC)

@puppygirlhornypost2

Nope. It does not mandate a secure channel at all, and there's some resistance to adding that as a requirement:

github.com/w3c/activitypub/iss

(It also doesn't specify HTTP at all, but that's a separate question)

@gsnedders

GitHubChange HTTPS requirement to be MUST for publicly facing servers · Issue #429 · w3c/activitypubBy ThisIsMissEm
Public
Amber

@hrefna@hachyderm.io @gsnedders@glauca.space yay. i was told it did during one of my shitposts about AP over FTP instead of HTTP

Public
Hrefna (DHC)

@puppygirlhornypost2

I keep threatening to write one almost entirely in gopher, including for S2S pieces.

@gsnedders

Jenniferplusplus

@hrefna @puppygirlhornypost2 @gsnedders I think it doesn't specify http in the same way it doesn't have servers. It does require the application/ld+json content type and accept headers. I'm not sure how many other contexts that would make sense.

But that's kind of separate to whether you could (yes) or should (no) do it.

Nov 27, 2024, 12:23 AM·Public·Web
0boosts·1favorite
Public
Hrefna (DHC)

@jenniferplusplus

Oh 100%. Absolutely.

I've just been informed very confidently that—despite that it is written almost entirely in HTTP terms down to response codes—it still does "not require" HTTP.

@puppygirlhornypost2 @gsnedders

Public
Helge

I've just been informed very confidently that

😂

ExploreLive feeds
About