Frédéric JacobsApr 5, 2017

Mastodon's federation introduces UX challenges.

One that worries me a lot is about message forgery. Anyone can forge a twoot, even cross-server.

Whereas Twitter Inc might be trustworthy enough to not forge transcripts. Anyone can run a Mastodon server and might want to abuse it to influence people (see Russian troll campaigns).

Should Mastodon "home servers" cryptographically sign updates? Should there be end-to-end signatures? Anyone has thoughts on this?

Show threadLeifur Halldor AsgeirssonApr 13, 2017
@fj I'm not an expert on the OStatus protocol used by Mastodon, but if I understand correctly, messages are signed and exchanged through the Salmon protocol. So I don't think it's as easy to forge a toot as it is to forge, say, an email on a domain that doesn't use SPF
Show threadLeifur Halldor Asgeirsson
@fj whoops, the previous replies weren't showing up in my client, sorry for the redundant reply!
Apr 13, 2017 at 5:12pmWeb