Frédéric JacobsApr 5, 2017

Mastodon's federation introduces UX challenges.

One that worries me a lot is about message forgery. Anyone can forge a twoot, even cross-server.

Whereas Twitter Inc might be trustworthy enough to not forge transcripts. Anyone can run a Mastodon server and might want to abuse it to influence people (see Russian troll campaigns).

Should Mastodon "home servers" cryptographically sign updates? Should there be end-to-end signatures? Anyone has thoughts on this?

Show threadMartijn GrootenApr 5, 2017
@fj I just learned that there's nothing stopping me from registering https://mastodon.cloud/@fj and pretending to be you. That's not really a technical challenge (the domain is implicit part of the username) but sounds like usability hell.
Show threadFrédéric Jacobs
@martijn_grooten Sure but it will still appear as "[email protected]" on people's clients. Domains just don't show up when you're on the same server as the other person, then they are implicitly assumed.
Apr 5, 2017 at 4:30pmWeb
Show threadFrédéric JacobsApr 5, 2017
@martijn_grooten next step for Mastodon is to put all the usernames in a distributed ledger run by all the Mastodon servers to have a unique blockchain of usernames. #BlockchainAllTheThings #WhenAllYouHaveIsABlockchainEverythingLooksLikeANail
Show threadMartijn GrootenApr 5, 2017
@fj Yeah, I don't think mentions are going to be very confusing. But imposter accounts? But maybe Mastodon isn't meant to be widely used; for a geeks-only social network, it's probably fine, and the decentralisation is a neat idea.