Infosec.Pub

The Fediverse – a network comprised of Mastodon, Pleroma and other adjacent projects – suffers from the same glaring contradiction. Similar to email nodes, servers (known as Instances within this network) are branded around common interests, political beliefs or sexualities. Users are encouraged to join the servers that resonate with them. Like Scuttlebutt, political and sexual expression is warmly encouraged; in just one example, after centralised media moved to close the accounts of sex workers to comply with new US anti-sex trafficking laws, a Mastodon Instance named Switter was created to offer space for these individuals to continue to operate safely. Switter is now one of the largest Instances in the network.

This collection of networks offers no end to end encryption. Anyone with administrator access to an Instance can read anything that travels through that Instance’s infrastructure – including direct messages. The level of risk correlates with the number of cross-Instance interactions between users. If users from different Instances communicate, an attacker need only compel one Instance to reveal the direct messages between all of the interacting accounts. The centralised equivalents – Twitter, Tumblr, etc – can cloak their users through governance and resources. In a peer-to-peer network without encryption, there’s no structure, no agreed-upon governance, and absolutely no protection. Compromising or compelling an Instance or its staff means that all of network traffic is laid bare to its assailant.

I’d love to have a discussion on this (now fairly old) article which IMO has yet to provoke the kind of much-needed action on this topic that we, as a community of cypherpunks, are capable of.