There is a new optional feature in the master branch called authorized-fetch mode, which requires all fetches of ActivityPub resources to be signed, which in turn allows to reject fetches from domain-blocked servers.
Enabling this right now is not a great idea because current Mastodon versions don't sign all requests, so some functions would be impacted, a slow roll-out is advised #mastodev
@Gargron Implement a "if this thing sends in signed requests block unsigned" sort of thing?
Do these changes impact clients at all?
@Gargron I assume even with this enabled public posts can not be viewed by anyone running something other than mastodon? Or does it not effect public posts and one effects posts you share friends-only?
As always thanks for your hard work.
@freemo Public posts will remain viewable in the browser
@Gargron Cool, so its really just a way to make the followers-only posts actually enforcable. Makes sense.
This also means it wont work with anything but mastodon servers right? Its not ActivityPub standard compliant I presume?
@freemo No, followers-only posts are already enforcable. It's a way to make public posts enforcable. And no, signatures are a basic component of ActivityPub, so it's not a break away from standards.
@Gargron Ahh wonderful, thank you for all the info. Good luck. As always if i can help with anything just let me know.
@Gargron when is signing expected to be in Mastodon? Also will a whitelist mode be an option?
@Gargron Signed can mean many things, so would you mind elaborating on whether you mean HTTP Signatures, Signed JSON-LD, or something else?
I'd like to include any new techniques in my whitepaper on unwanted message on the fediverse (have you read it?)
@emacsen Talking about HTTP signatures.
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!