Mike Masnick ✅Nov 6, 2022

A quick note of something that may be important for people to know: I already noted that DMs here are a bit sketchy security wise, but (THIS IS THE IMPORTANT BIT): if you mention someone else's account in a DM, Mastodon, yoinks them into the conversation.

So, you know, if you think you're talking about someone behind their back, you might be doing it to their face.

Show threadPaul LalondeNov 7, 2022
@mmasnick rule number one: never say anything about anyone that you're not willing to say to their face. Makes so many things easier!
Show threadMike Masnick ✅Nov 7, 2022
@FluxLalonde again, it's not just for THOSE situations. I was using that as an example so people would get why this is a concern. I was pulled into a non-insulting conversation and it just resulted in some confusion.
Show threadPaul Lalonde
@mmasnick agreed. Private direct messages, or authenticated sourcing of messages looks like a perfect opportunity for automatic public/private key management. I'm sure I'm not the first to think of this in the federated context.
Nov 7, 2022 at 1:36amMastodon for Android
Show threadCyborg 2-A ✅Nov 7, 2022
it's likely no different than twitter. It's up to the client to display messages intended for the recipient. The server actually blasts messages all over the place, to people you don't know. A simple "like" or whatever it's called on Mastodon, turns into maybe 10,000 messages. a PKI system might be cool but how do you mange the private key? On the server is no-go. Uploading to a web site is no-go. Note that Mastodon and all other federated servers already use a PKI system behind the scenes, so that joe-blow in whattayacallit can't joe-job you. But as far as you sending a secret message to your pal, you should probably use PGP.
Show threadCyborg 2-A ✅Nov 7, 2022
or, use a client that supports OMEMO, the "server" doesn't have know anything about it, right?