Sasha Kotlyar 🌻 Nov 16, 2022

It's dangerous to tell people to _always_ rely on Mastodon profile green URL checkmarks as an equivalent of Twitter's old  thing: this advice is only valid on mainstream instances that have not modified (maliciously or otherwise) the URL verification code.

If someone wants to impersonate a celebrity/organization/etc., they can easily create a new Mastodon instance with modified green checkmark code.

#feditips #infosec cc: @gcluley

Show threadGuthrie McAfee ArmstrongNov 16, 2022
@arktronic @gcluley Would this work when viewing their profile from a mobile app or from another (uncompromised) instance? Or do interfaces just assume the host instance is telling the truth?
Show threadSasha Kotlyar 🌻 Nov 16, 2022
@gmarmstrong @gcluley Great question! I just tested this by removing the link to my instance from my GitHub account (thereby making that checkmark invalid, but still present due to caching), and viewing my Mastodon profile from a different instance. Looks like the other instance just trusts the info supplied by the origin one.
Show threadGuthrie McAfee Armstrong
@arktronic @gcluley Interesting! I suppose the home instance could have been caching its own verification from earlier. I've never dove into the codebase. Any #MastoDev folks out there able to provide some insight?
Nov 16, 2022 at 4:05amWeb
Show threadSasha Kotlyar 🌻 Nov 16, 2022
@gmarmstrong @gcluley A clue! My instance is showing a different timestamp for your website than what's on infosec.exchange. This suggests that the Mastodon instances _do_ verify this stuff independently.
Show threadGuthrie McAfee ArmstrongNov 16, 2022
@arktronic @gcluley Very cool! That is a good sign, and the same happens for me on your profile. Still, you've raised a good point about how another instance (or even just a website that looks like a Mastodon interface) can be deceptive.