risks with relays on the fediverse, a thread

there are two main protocols used for relaying in the fediverse. both have overlapping areas of risk, though I tried to make mine as safe as I reasonably could.

the area where there is overlap is with metadata leakage: if you connect a relay, in all cases, you are advertising the existence of an activitypub object as a specific URI. this is how relays relay: they induce ingestion of external posts as a side effect.

first, let's talk about my protocol for this, the litepub relay extension.

the way that it works is that a server wishing to connect to a relay simply follows an actor on the relay service. the actor then redistributes incoming Announce activities (mastodon calls these boosts) to those following it.

this causes posts to be ingested by resolving the URI in the Announce activity.

the only thing that is signed is the Announce activity, by way of an HTTP signature header covering the body's digest.

this is, in my opinion the right way to implement relaying: you are advertising content at a given location, and then interested servers can go import the posts if they want to.

by comparison, let's talk about the Mastodon relay protocol.

this protocol is basically the opposite of mine: instead of subscribing to an *actor*, you subscribe to an inbox.

Mastodon then sends raw Create and Announce activities to that remote inbox, and the relay server forwards the raw activities along.

instead of HTTP signatures, the raw activities are signed with LDSigs, and Mastodon has no key rotation or expiry model. in other words, it sends activities that are signed by a unique key belonging to your account to these relays, and the signatures are forever.

myself and many other security engineers, as well as actual cryptographers criticized this model for years, and still sometimes do, like now.

the question we should be asking is: how well do these relay protocols resist disclosure to adversarial parties (e.g. Palantir, harassment instances like poast, etc.)?

and to make things interesting, let's make it a poll: which protocol do you think is safer?

Announcing URIs to posts, nothing signed but the Announce itself
65.4%
Forwarding LD-signed Create activities across the relay
6.4%
Both are equally unsafe
28.2%
Poll ended at .

alright. threat modeling time.

let's say that you are having a bad day, and you post something that could be considered a threat towards somebody more powerful than you: it could be a boss, it could be a politician, it could be the cop that wrote you a ticket earlier, whatever.

what happens with each approach to relaying?

@ariadne i'm not sure i quite understand. isn't activitypub an open ecosystem? doesn't really make much sense to try super hard to limit who can see your public content

i mean if it's something like a ai scraper thats super aggressive thats one thing but if its just like once per post i dont think much can be done in general about that
@stag it is possible to have an open ecosystem that has good metadata hygeine. we are talking largely about metadata here.
@ariadne metadata, actual content, does it matter? once you release something on public internet in an open ecosystem you don't control it anymore. you no longer have control where it goes.

if you don't like that, don't make it public

@stag again this is not about the typical use case, but rather about edge cases that well-behaved social platforms are expected to solve for, like stalking mitigation.

I'm not interested in debating this.

@ariadne thats just... not a solvable problem. you really can't expect any social platform to be able to solve stalking unless you post privately. you can't have any expectation of privacy when you do things publicly. that's how the internet works.