1480
Welp that answers a lot of why all .ml are down (i.imgur.com)
submitted 11 months ago* (last edited 11 months ago) by BarterClub@sh.itjust.works to c/technology@lemmy.world
516 comments fedilink hide all child comments

https://very.bignutty.xyz/notes/9hf13it1ced3b2za

you are viewing a single comment's thread
view the rest of the comments
[-] Wander@yiffit.net 178 points 11 months ago

No, the signatures wouldn't match.

[-] Saik0Shinigami@lemmy.saik0.com 4 points 11 months ago

That's an assumption that lemmy will quit federating with a server that does not match.

And what signature are we talking about anyway? Is not certificates...

[-] Wander@yiffit.net 17 points 11 months ago

Activitypub signatures that each user and group sends out their messages with.

[-] priapus@sh.itjust.works 1 points 11 months ago

It's not an assumption, it's how activitypub works.

[-] Saik0Shinigami@lemmy.saik0.com 0 points 11 months ago

Can you show me documentation that shows communities or servers are signed?

[-] priapus@sh.itjust.works 2 points 11 months ago
[-] Saik0Shinigami@lemmy.saik0.com 1 points 11 months ago

So looking at that spec... Nothing there is validation that current messages originate from an "original" server...

I don't think either of these signature options for Server to Server communications means that my current lemmy.saik0.com instance can't be torn down (delete LXC container) and reconfigured as a brand new instance (New LXC container) and other instances wouldn't know that there's been a change to the instance running here... or more accurately would flag a change. I think these signatures are all about not being able to spoof OTHER instances. eg, lemmy.ml can't send messages on behalf of lemmy.world.

[-] priapus@sh.itjust.works 1 points 11 months ago

I assumed that once federated the public key would be remembered and signatures that do not match it would be handled, but you may be correct. I do wonder whether this could be a problem as instances close down over time. I'll have to spend some more time researching to see if there's a more clear answer, or if any ActivityPub implementations have their own way of handling that situation.

[-] Saik0Shinigami@lemmy.saik0.com 1 points 11 months ago

Yeah that's my worry. I'm pretty sure(and could be wrong) that message/ keys are only checked on ingestion. So i would get key value for a message coming in and can check that is currently valid, not that it's "changed" since 2 months back. I think this could allow for some one to ressurrect an old Lemmy service and masquerade as the old one... communities , users... all of it.

this post was submitted on 21 Jul 2023
1480 points (98.9% liked)

Technology

55693 readers
2853 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world