this post was submitted on 20 Aug 2023
2 points (62.5% liked)

Lemmy Support

4656 readers
21 users here now

Support / questions about Lemmy.

Matrix Space: #lemmy-space

founded 5 years ago
MODERATORS
 

Hello !

When someone connects to my instances communities, but from another instance, how do I know it's no spoofing involved?

Cheers

you are viewing a single comment's thread
view the rest of the comments
[–] Wander@yiffit.net 3 points 1 year ago (11 children)

Messages are sent with a digital signature that only the original instance could craft.

[–] Loulou@lemmy.mindoki.com 2 points 1 year ago* (last edited 1 year ago) (6 children)

Okay so it's the lemmt server running my instance that checks it is the right user. Do you know how it is done ?

I reread your post, so it's a signature in the http call?

[–] Wander@yiffit.net 3 points 1 year ago

It should be a signature that is sent together with the ActivityPub Object. Yes, if the signature doesn't match, the content, whether a post, comment, favorite, upvote, etc... should be dropped.

Here is the source code of the library that lemmy uses to handle incoming objects and you can see that it does a call to verify the signature of the actor:

https://docs.rs/activitypub_federation/latest/src/activitypub_federation/actix_web/inbox.rs.html#18-54

load more comments (5 replies)
load more comments (9 replies)