this weekend i made a library for working with activitypub servers :blobcatsurprised:


it expands on work i did to try and answer the question "how many dead servers am i connected to?"

once i'm done with the docs (currently in the testing phase) i'll publish it someplace

Show thread

somebody tell me about the activitypub threat model for when a server's domain name expires and years later is bought by a malicious party in order to assume the role or rights of a specific actor

Show thread

@garbados I was thinking about this very same thing today as I was cleaning up my follows of dead instances

They should expire after a week or two of no contact.

@garbados Practically, same as with basically any kind of federated system: The identity is the address (user@host for email/XMPP/webfinger, URL for ActivityPub) and the protocol tends to leak the social graph/contact list over time.
And well email is very slow&inefficient at it (but OpenPGP leaks it securly :D), XMPP is almost instant at it and you can recover it fully, and I think current ActivityPub is basically fast email.
I think we could make it better but making it good would require crypto and you need to be really careful with it.

@garbados dead fedi servers make up so much garbage in sidekiq

@adasauce i was astounded to learn there's no garbage collection process for dealing with them

@adasauce someone's gonna buy an obscure domain name that happened to belong to a masto instance years ago and find themselves bombarded by the federated timeline's collective traffic, a force tantamount to a distributed attack.

@garbados i started issuing domain blocks for a while as a stopgap, but it was a huge pain and started adding a bunch of load going through and deleting local content and media.

gave up after a while

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!