Fediverse

28398 readers

924 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!

Rules

Posts must be on topic.
Be respectful of others.
Cite the sources used for graphs and other statistics.
Follow the general Lemmy.world rules.

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy

founded 1 year ago

MODERATORS

ruud@lemmy.world

Xylinna@lemmy.world

MrCenny@lemmy.world

TragicNotCute@lemmy.world

automodbeta@lemmy.world

woelkchen@lemmy.world

ActivityPub: what stops a malicious actor to post from domains they don't own? (yiffit.net)

submitted 1 year ago* (last edited 1 year ago) by Wander@yiffit.net to c/fediverse@lemmy.world

3 comments fedilink hide all child comments

I'm trying to better understand Activitypub and I understand that there's a signature to avoid forgeries of known accounts.

However I'm having trouble understanding what prevents a malicious actor from sending a private spam message supposedly from a never before seen account name with valid generated key pair but for a domain they've never bought since there is no DNS lookup or test.

Thank you!

you are viewing a single comment's thread
view the rest of the comments

[–] syboxez@lemmy.world 1 points 1 year ago (1 children)

On the point of 2, it could be made optional, so that the user could choose.

[–] terribleplan@lemmy.nrd.li 1 points 1 year ago

Maybe... I am working on an AP implementation that will reject anything not signed with VCDI because it has such desirable properties. In my implementation all crypto is done client-side only, so the server can't reasonably be expected to do HTTP signing.