this post was submitted on 24 Jun 2024
27 points (88.6% liked)

Open Source

31060 readers
419 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] -3 points 4 months ago (2 children)

But we already have Mastodon for the same purpose?

[–] [email protected] 8 points 4 months ago (1 children)

it seems like maybe this is compatible, and is easier to host for a single user instance

[–] [email protected] -5 points 4 months ago (2 children)

I'm not an expert at infrastructure stuff but "single user instance" sounds quite a bit like "peer to peer", "trackable" and "IP leak" to me

[–] [email protected] 6 points 4 months ago (1 children)

Yep, that would be the ip adres of my €5 a month VPS somewhere in an german datacenter.

[–] [email protected] -5 points 4 months ago (1 children)
[–] [email protected] 5 points 4 months ago (1 children)

How would that be leaking, home hosters aside?

[–] [email protected] -2 points 4 months ago (1 children)

It can be intercepted by the owner of the server that the instance the user is registered on uses

[–] [email protected] 4 points 4 months ago

Which happen to be myself. And the datacenter facility owner.

[–] [email protected] 2 points 4 months ago

It's the same concept as running a mastodon server but turning off registration. No more or less secure.

[–] [email protected] 8 points 4 months ago (1 children)

This is about making your own personal instance of a microblog that's ActivityPub enabled. It's much lighter than running Mastodon that's mean to be a hosting platform for a lot of users.

[–] [email protected] -2 points 4 months ago (1 children)

Hmmm but that means my device (phone or computer) has to be online all the time for all features to work right?

[–] [email protected] 8 points 4 months ago (1 children)

No, it means you run your own VPS to host your personal blog.

[–] [email protected] -2 points 4 months ago (1 children)

What is a VPS? If it's a server, there's nothing new here. I thought it's a 2 in 1 client+server technology like you can do in old Minecraft Java versions (your machine is both a server and a client of its own server)

[–] [email protected] 4 points 4 months ago (1 children)

Yes, it's a virtual server that you can get from a provider like Digital Ocean. It's not running on your machine locally, it's the same thing that the admins of Mastodon instances have to do to run Mastodon servers.

[–] [email protected] -5 points 4 months ago (1 children)

Huh I thought the servers were real and ran on bare metal of volunteers like it's supposed to be

[–] [email protected] 3 points 4 months ago (1 children)

pretty much nobody runs servers on bare metal nowadays

[–] [email protected] -1 points 4 months ago* (last edited 4 months ago) (2 children)

Huh but how about security? Is anything even zero access encrypted???

[–] [email protected] 3 points 4 months ago (1 children)

It's really up to you how you set up your server and the datastore. This has nothing to do with Hollo. Again, there's no difference between this and running a Mastodon server that will also need infrastructure like a db to back it.

[–] [email protected] -1 points 4 months ago (1 children)

Hmm sounds very unsafe to me. The cloud server provider can do anything, including logging all the traffic and sending it to the NSA for criminal finding and analysis purposes. Well I heard it's almost impossible to get data deleted from Mastodon so whatever.

[–] [email protected] 2 points 4 months ago (1 children)

I don't know what to tell you, but this is how modern internet works. Also, nobody is forcing you to get a server in a jurisdiction where US has access to. Meanwhile, any traffic is encrypted via HTTPS, so the provider can't actually log it. It sounds like you have a very superficial understanding of the subject you're debating here.

[–] [email protected] -1 points 4 months ago (2 children)

This is an unpopular take because laziness, lack of quality and lack of care are the standards now but "this is how modern internet works" isn't an excuse at all. That's what FOSS is trying to change actually. But I guess the Fediverse is far behind in terms of security now. Not having everything encrypted on a server you don't own is a massive flaw. Privacy as in data mining seems to be a bit better than what Big Tech offers as long as you trust the instance and its server provider though.

[–] [email protected] 5 points 4 months ago (1 children)

This has nothing to do with the original topic of discussion or Hollo in particular. You're now arguing about pros and cons of using a VPS service. I also have no idea why you keep making statements like "not having everything encrypted on a server you don’t own is a massive flaw". You absolutely can have everything encrypted running a VPS. You don't understand the subject you're discussing.

[–] [email protected] 0 points 4 months ago (2 children)

The original discussion was about Hollo but now it's about Mastodon. They're almost the same things anyways. And if you can have everything encrypted on a VPS it does not mean every instance owner (and even every major instance owner) will do it. Here I think we need an official requirement by Mastodon and probably a code integration so it's impossible to have everything decrypted without breaking the federation support. The performance will be cut in half at best but at least IP and metadata mining attacks will be harder to perform.

[–] [email protected] 2 points 4 months ago (1 children)

How would encryption even make sense here? Up to the server, everything is protected via TLS. And if you don't trust the server provider, you can encrypt all you want, but they can just read out the RAM of the VPS or they could have backdoored the bare metal hardware to do the same. As long as the server has to somehow work with the data in question, the decryption keys have to be somewhere in there. And what do you mean by code integration? We're talking FOSS here, how could someone prevent me from removing any "is everything encrypted?" checks in Mastodon? Also, what does the encryption on other federated instances even matter? Without having any in depth knowledge about Mastodon, your user agent will hardly be sent to other instances, and when and what you posted is meant to be visible.

[–] [email protected] 1 points 4 months ago

Code integration means that all Mastodon data a server stores is automatically encrypted on arrival. But even in that case it can be intercepted on decryption or in RAM as you mentioned. FDE + trustworthy provider can be a good option still. I don't think any providers except the most sketchy ones will try to read the RAM. Anyways all of that is impossible to enforce so we're really waiting for a breach with this one.

[–] [email protected] 1 points 4 months ago (1 children)

They're not almost the same thing at all, and your whole position is weird given that the context is social media which is fundamentally content people want to publish publicly.

[–] [email protected] 0 points 4 months ago* (last edited 4 months ago) (1 children)

My point is not about the content. My point is about the metadata which I clearly mentioned in one of my replies. Even though Mastodon doesn't collect much unnecessary metadata afaik there is still some required stuff. At this point I suspect you in causing a fight. Your constant downvotes are a proof of it.

[–] [email protected] 3 points 4 months ago (1 children)

What metadata is collected by third parties is completely tangential to the topic of the submission. However, as I've repeatedly tried to explain to you, there is no practical difference between running on bare metal which nobody does nowadays, or running a VPS. At this point it's quite clear that you're just trolling, so I'm going to stop here. Bye.

[–] [email protected] -1 points 4 months ago

We're either having drastically different definitions of metadata here or you're just trying to fight (that is more likely). The metadata I meant is collected by the first party (the server) and includes but is not limited to IP, interaction timestamps (the most important thing), file type, user agent (approximate browser name). Also since the data on the server isn't required to be encrypted, all account information (that can contain emails and 2FA keys) is unsafe too. At this point my suspicion of you not keeping the discussion civil is too high to continue it so I'm glad you chose to stop it yourself. I hope I could explain my point clearly and prove my innocence in this situation.

[–] [email protected] 4 points 4 months ago

Fediverse itself is a privacy/GDPR minefield of epic proportions.

[–] [email protected] 3 points 4 months ago* (last edited 4 months ago)

Nope, everyone blindly trusts AWS/Crimeflare/etc. to MITM all their traffic, storage and servers and never happen to do anything bad or leak any data. One day it's going to bite everyone in the ass.

Even when you use AWS's encryption feature for the VM itself, they hold the keys for you.