Frédéric JacobsApr 5, 2017

Mastodon's federation introduces UX challenges.

One that worries me a lot is about message forgery. Anyone can forge a twoot, even cross-server.

Whereas Twitter Inc might be trustworthy enough to not forge transcripts. Anyone can run a Mastodon server and might want to abuse it to influence people (see Russian troll campaigns).

Should Mastodon "home servers" cryptographically sign updates? Should there be end-to-end signatures? Anyone has thoughts on this?

Show threadMartijn GrootenApr 5, 2017
@fj I just learned that there's nothing stopping me from registering https://mastodon.cloud/@fj and pretending to be you. That's not really a technical challenge (the domain is implicit part of the username) but sounds like usability hell.
Show threadFrédéric JacobsApr 5, 2017
@martijn_grooten Sure but it will still appear as "[email protected]" on people's clients. Domains just don't show up when you're on the same server as the other person, then they are implicitly assumed.
Show threadMartijn Grooten
@fj Yeah, I don't think mentions are going to be very confusing. But imposter accounts? But maybe Mastodon isn't meant to be widely used; for a geeks-only social network, it's probably fine, and the decentralisation is a neat idea.
Apr 5, 2017 at 6:03pmWeb