yawnboxNov 16, 2022

because direct messages on Mastodon are clear-text, all admins are subject to warrants from their local/regional law enforcement agencies

same with usage metadata like IP addresses and time stamps

i disabled IP logging in UFW and nginx, but Mastodon itself still logs this to be able to present it to the user for authentication transparency

making mastodon more resistant to targeted surveillance would be valuable to protect users

#mastoAdmin #mastodonAdmin

Show threadSimon Fondrie-TeitlerNov 16, 2022
@yawnbox Does it break things if you put a proxy in front of it that doesn't pass X-Forwarded-For?
Show threadyawnboxNov 16, 2022
@varlogsimon i like the idea of doing manual interventions like that. i'm sure it can be done. but what i think is important is Mastdon itself making structural changes, ideally opt-out changes, that default to protecting user and admin privacy
Show threadSimon Fondrie-TeitlerNov 16, 2022
@yawnbox I don't disagree! Ideally one could turn this off with a setting in the admin area. Was just curious if you knew whether that is a stopgap measure.
Show threadyawnboxNov 17, 2022
@varlogsimon I'm not experienced with using nginx as a proxy but i know it is commonly used as such. i wonder if a simple reconfig there would accomplish this same effect (making the login IP 127.0.0.1 instead of the actual IP). might be a simple upstream change?
Show threadSimon Fondrie-TeitlerNov 17, 2022

@yawnbox Looks like there's already a feature to limit how long it's kept: https://github.com/mastodon/mastodon/pull/18757

there's an open issue: https://github.com/mastodon/mastodon/issues/6474

and someone wrote a guide: https://libreops.cc/2022/05/09/mastodon/

ip_cleanup_scheduler: Make IP and session retention configurable by kescherCode · Pull Request #18757 · mastodon/mastodon

In #6474, there are mentions of IP addresses being stored for too long (1 year). While this pull request doesn't allow disabling the storage of IP addresses, it would allow instance admins to limit...

GitHub
Show threadyawnbox
@varlogsimon thanks!! i added my feedback
Nov 17, 2022 at 12:53amWeb