⚠️ Do not be HACKED !!
General Discussion
1
Posts
1
Posters
10
Views
-
⚠️ Do not be HACKED !! 😱
Software updates include not only new features but also critical security fixes. To keep your site secure and stable, ensure you always use the latest version.
We frequently observe numerous sites across the Fediverse running very outdated versions of Mastodon or Misskey. Some sites are even using versions over a year old.
Be the smart administrator and keep your site up to date.
#Mastodon #Misskey #Fediverse #ActivityPub #PixelFed #PeerTube #InfoSec #Security
Feed RSS
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@jdt the way I interpret it for JSON-LD documents is that the fragment is the actual name of the property inside the document that the IRI refers to. So in the case of a public key would be https://example.com/jdoe#publicKey (instead of jdoe#main)
I haven't seen anything in the documentation to give a more explicit, or different, mechanism.
-
@mariusor@metalhead.club That's great context; thanks!
-
@silverpill@mitra.social That makes sense. I guess I was getting a little bit spun around by the idea that the keyId is not the Actor id and thinking too hard about it.
-
@jdt the fragment in a JSON-LD document IRI has a semantic meaning that goes back to RDF: https://www.w3.org/TR/rdf11-concepts/#section-fragID
> a secondary resource that is usually a part of, view of, defined in, or described in the primary resource, and the precise semantics depend on the set of representations that might result from a retrieval action on the primary resource.
-
@jdt You're supposed to fetch the keyId first, then fetch its owner (or controller).
But in practice its either /main-key (GoToSocial) or fragment ID, so it is indeed possible to save a HTTP request.
-
keyId is a problem.
Generally speaking, most Actors have a `keyId' that looks something like:
https://enigmatick.social/user/jdt#main-keyWhen an inbox POST arrives from an unknown user, we can chop off the bit including #main-key and we can pull the remaining URL as the Actor's ID.
But some implementations decided they should use /main-key instead. That indicates that the keyId format is unreliable and not well-specified. So I switched to deferring this header check for unknown Actors deeper into my ingestion pipeline so that I could retrieve the actor string from the object being sent. That works pretty well.
But GET requests. Like followers_synchronization. Dammit. There's no object to refer to. So we're back to parsing the keyId and hoping for meaning.
Out of 124,007 Actors in my database, 587 do not comply with the #main-key convention.
enigmatick=> select count(*) from actors where as_public_key->>'id' NOT LIKE '%#main-key'; count ------- 587 (1 row)For full coverage, I need to accommodate /main-key and #key as well
#ActivityPub
-
@reiver I'd consider interoperating social networks to be "federated", but I know it's not a precise term. There are similar ambiguities with other commonly used terms: decentralization, server, node, instance, and so on. We have our personal definitions but find that others have a different mental model than ours. It might be interesting to have a collaborative social web glossary that captures the variations of how these terms are used.
-
@rimu@mastodon.nzoss.nz Definitely. Offloading the static assets to nginx is a big win. Varnish adds a layer of serving from memory that takes it up a notch. Like having your own Fastly pop.
It does require some configuration nuance to be sure you aren't serving cached assets to the wrong connections (e.g., authenticated GET requests that shouldn't be shared beyond a specific session).
