:ellie: Noëlle the 8-Bit🏳️‍🌈🎄 is a user on elekk.xyz. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
:ellie: Noëlle the 8-Bit🏳️‍🌈🎄 @noelle

Witches.Town folks: Before you leave/the site shuts down, please remember to go to Settings > Data Export. You can grab lists of the people you're following, blocking, and muting, and request an archive of your toots.

(You can currently import your follow/block/mute lists to another account, but you can't upload your toot archive. But at least you'll /have/ them.)

· Web · 108 · 43
Ben @adversary@chaos.social

@noelle Yes, well if they're exported in ActivityPub format (which would make sense) then importing toots would probably be too easy to exploit in order to spoof messages.

A database import would probably work, but I suspect most admins of other instances would be loathe to do that.

🎃 emilich queen ₰ 🎃 ⁧🐰‍🦊⁦ @forivall@mastodon.social

@adversary @noelle i don't know anything about the ActivityPub format, but it would be cool to have a signature that can be verified against the server's public key, to allow trusted imports

Ben @adversary@chaos.social

@forivall @noelle I haven't had time to read through the whole thing, but that "trusted import" idea is precisely how spoofing could be done.

What you really want is a message structure which includes a digital signature on the content of each toot (or other action) which originates with the account owner.

Ben @adversary@chaos.social

@forivall @noelle As I said, I haven't pored through it yet, but I'm fairly sure the Mastodon auth/oauth model simply requires authentication for a session, but not separate signatures on every singly transmission or request.

Winter the Cybrewitch @winter@cybre.space

@noelle also remember to check out pentacl.es when the dns is ready. It will be redirected soon i think ( @viomi made it)

elekk.xyz powered by Mastodon