Mike Masnick ✅Nov 6, 2022

A quick note of something that may be important for people to know: I already noted that DMs here are a bit sketchy security wise, but (THIS IS THE IMPORTANT BIT): if you mention someone else's account in a DM, Mastodon, yoinks them into the conversation.

So, you know, if you think you're talking about someone behind their back, you might be doing it to their face.

Show threadmeditative zebraNov 7, 2022
@mmasnick uh, that seems like an amazingly dumb design decision
Show threadnoirscape moved to @[email protected]Nov 7, 2022
@meditativezebra
@mmasnick

It's because they're not *really* DMs. What they are are statuses with a privacy level set to "only those mentioned" (and mentioning causes a notification to show up).

When sending a status to an outgoing instance you should also be aware that an instance can just ignore your request for privacy. There was one instance that was modified to do this in 2016, none others since to my knowledge, but yeah. The status is otherwise not encrypted or anything.
Show threadScott FeeneyNov 7, 2022
@techpriest @meditativezebra @mmasnick IMO none of that justifies how it works. It is terrible that you can’t mention someone without sending the message to them. And it’s terrible that the UI doesn’t provide a more clear indication of who is going to receive the message. These are different, unrelated, and bigger problems than lacking e2e encryption.
Show threadkolya
@graue
Nov 8, 2022 at 1:59pmWeb