Lemmy.zip

2,809 readers
224 users here now

Welcome to Lemmy.zip - a community for like minded people to come and have a chat about almost anything. From games to tech, to anything else, come and have a chat.

If you're new and would like to join Lemmy.zip, please fill in the sign up form. Email verification is required. (Please check your spam folder!)

Once you're signed up, come and introduce yourself in our Home community!

Useful Links

m.lemmy.zip - Our Mobile/Tablet site
old.lemmy.zip - A familiar desktop experience!
a.lemmy.zip - A desktop-first UI
t.lemmy.zip - An alternative Mobile/Tablet UI with lots of features!
Join our Matrix Chat!

Instance Rules

To maintain the high standard of discourse and interaction we all value, each user must adhere to the guidelines outlined in our Code of Conduct. This set of rules is designed not just to maintain order but also to ensure a safe and inclusive environment for everyone to share their thoughts and ideas.

What to Expect in Our Code of Conduct:

Respectful Communication: We strive for positive, constructive dialogue and encourage all members to engage with one another in a courteous and understanding manner.
Inclusivity: Embracing diversity is at the core of our community. We welcome members from all walks of life and expect interactions to be conducted without discrimination.
Privacy: Your privacy is paramount. Please respect the privacy of others just as you expect yours to be treated. Personal information should never be shared without consent.
Integrity: We believe in the integrity of speech and action. As such, honesty is expected, and deceptive practices are strictly prohibited.
Collaboration: Whether you're here to learn, teach, or simply engage in discussion, collaboration is key. Support your fellow members and contribute positively to shared learning and growth.

If you enjoy reading legal stuff, you can check out legal.lemmy.zip.

Funding

If you would like to contribute to the upkeep of Lemmy.zip, please head over to OpenCollective.
Anything you're happy to donate is very highly appreciated!
You'll even get your name in the Thank You thread.

If you want to use PayPal, you can donate via Ko-Fi:

Server

founded 1 year ago

ADMINS

Demigodrick

Sami

ZippyBot

Authorized Fetch Circumvented by Alt-Right Developers (wedistribute.org)

submitted 8 months ago by [email protected] to c/[email protected]

2 comments fedilink

A controversial developer circumvented one of Mastodon's primary tools for blocking bad actors, all so that his servers could connect to Threads.

We’ve criticized the security and privacy mechanisms of Mastodon in the past, but this new development should be eye-opening. Alex Gleason, the former Truth Social developer behind Soapbox and Rebased, has come up with a sneaky workaround to how Authorized Fetch functions: if your domain is blocked for a fetch, just sign it with a different domain name instead.

Gleason was originally investigating Threads federation to determine whether or not a failure to fetch posts indicated a software compatibility issue, or if Threads had blocked his server. After checking some logs and experimenting, he came to a conclusion.

“Fellas,” Gleason writes, “I think threads.net might be blocking some servers already.”

What Alex found was that Threads attempts to verify domain names before allowing access to a resource, a very similar approach to what Authorized Fetch does in Mastodon.

You can see Threads fetching your own server by looking at the facebookexternalua user agent. Try this command on your server:

grep facebookexternalua /var/log/nginx/access.log

If you see logs there, that means Threads is attempting to verify your signatures and allow you to access their data.

176

Authorized Fetch Circumvented by Alt-Right Developers (wedistribute.org)

submitted 8 months ago by [email protected] to c/[email protected]

72 comments fedilink

Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.

Authorized Fetch Circumvented by Alt-Right Developers (wedistribute.org)

submitted 8 months ago by [email protected] to c/[email protected]

11 comments fedilink

Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.