• PhilipTheBucket@ponder.cat
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 day ago

      Okay. What part of the spec did Pixelfed violate? Where in the spec is Mastodon’s implementation of private posts justified?

      • troed@fedia.io
        link
        fedilink
        arrow-up
        2
        ·
        1 day ago

        Read more, post less. I’ve said nothing about any spec violation. That’s not relevant.

        • PhilipTheBucket@ponder.cat
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          1 day ago

          I’ve said nothing about any spec violation. That’s not relevant.

          It has everything to do with ActivityPub since if you follow that protocol strictly you will cause this behavior.

          That’s what I was going by. I guess I could re-read this now and interpret “this behavior” as Pixelfed’s side, instead of Mastodon’s side as I initially read it, and decide that you are agreeing with me that Mastodon’s behavior was (and is) out of spec? Do I have that right?

          It still doesn’t change that Dansup was told that this caused Bad Things™ and yet he didn’t follow normal procedure in how you handle it.

          It is normal procedure to fix a bug when you are notified about it.

          The design flaw in Mastodon that managed to bite Pixelfed in this situation still exists. People were writing about it back in 2017 when this was all being first implemented. The idea that “normal procedure” needs to include keeping it a secret that Mastodon’s “private” statuses can be exposed by any server software that doesn’t handle them in the way that’s expected, is 100% wrong.

          I’ll rephrase what I said earlier: Since you’re a security researcher, and you apparently think Dan should have played into the idea of keeping it a secret that Mastodon’s private statuses are not secret by obfuscating the information about how he was fixing Pixelfed to more effectively hide them, you are bad at your job. In this instance. The fault lies with how private statuses are implemented, and nothing about that needs to be kept secret as would a normal vulnerability, during responsible disclosure. In fact, it is extremely harmful to let users believe that these privacy settings are anything other than vague recommendations, specifically because of the risk they will act accordingly and expose some of their private posts to the world. They should know exactly what’s going on with it, and Dan accidentally failing to keep that a secret is in no way causing bad things.

          • troed@fedia.io
            link
            fedilink
            arrow-up
            3
            arrow-down
            1
            ·
            1 day ago

            You have absolutely no idea what “responsible” in “responsible disclosure” means :) It’s completely irrelevant how Mastodon has implemented private posts when it comes to how Dansup handled the issue, knowing what the effects were.

            You don’t, when told of a vulnerability, handle it in a way that cause harm if it can be avoided.

            • PhilipTheBucket@ponder.cat
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 day ago

              Yeah, you said that stuff before and then you said it again. I do understand what your argument is here. I was trying a couple of different ways of explaining what I was saying in response, but it seems like it’s not working. Oh well.