there are two main protocols used for relaying in the fediverse. both have overlapping areas of risk, though I tried to make mine as safe as I reasonably could.
the area where there is overlap is with metadata leakage: if you connect a relay, in all cases, you are advertising the existence of an activitypub object as a specific URI. this is how relays relay: they induce ingestion of external posts as a side effect.
first, let's talk about my protocol for this, the litepub relay extension.
the way that it works is that a server wishing to connect to a relay simply follows an actor on the relay service. the actor then redistributes incoming Announce activities (mastodon calls these boosts) to those following it.
this causes posts to be ingested by resolving the URI in the Announce activity.
the only thing that is signed is the Announce activity, by way of an HTTP signature header covering the body's digest.
this is, in my opinion the right way to implement relaying: you are advertising content at a given location, and then interested servers can go import the posts if they want to.
by comparison, let's talk about the Mastodon relay protocol.
this protocol is basically the opposite of mine: instead of subscribing to an *actor*, you subscribe to an inbox.
Mastodon then sends raw Create and Announce activities to that remote inbox, and the relay server forwards the raw activities along.
instead of HTTP signatures, the raw activities are signed with LDSigs, and Mastodon has no key rotation or expiry model. in other words, it sends activities that are signed by a unique key belonging to your account to these relays, and the signatures are forever.
myself and many other security engineers, as well as actual cryptographers criticized this model for years, and still sometimes do, like now.
the question we should be asking is: how well do these relay protocols resist disclosure to adversarial parties (e.g. Palantir, harassment instances like poast, etc.)?
and to make things interesting, let's make it a poll: which protocol do you think is safer?
alright. threat modeling time.
let's say that you are having a bad day, and you post something that could be considered a threat towards somebody more powerful than you: it could be a boss, it could be a politician, it could be the cop that wrote you a ticket earlier, whatever.
what happens with each approach to relaying?
@stag again this is not about the typical use case, but rather about edge cases that well-behaved social platforms are expected to solve for, like stalking mitigation.
I'm not interested in debating this.