I'm going to take a look at the propagation code for DMs to get a better idea of the possible attack vectors. I suspect there is a bunch of confusion and misinformation out there.
@jpwarren very profound for this early in the morning
@trentyarwood I had trouble getting to sleep last night because my brain loves thinking about all things Mastodon, apparently.
@jpwarren this is an apt metaphor for all things digital
@katgallow "Regular business, now with computers!" 😆
@jpwarren I think the big issue is trusting the admins of other instances. So maybe limiting DMs to local users? Or warning people if they DM outside their instance?
@ozjimbob @robcorr @jpwarren but since 90% of people use gmail, most folks only need to trust google's internal controls are good. unfortunately fully private DMs are impossible if you want a portable web UI (since the server needs to be able to decrypt to display the message). unfortunate, and seriously non-trivial to fix.
@robcorr Cross-instance comms is important, so making it per-instance only probably isn't the right call.
@robcorr But I suspect they're not re-propagating. Like, if I DM you on your remote instance, why would it send the DM to other instances later?
It seems more like an authentication issue: Am I DM-ing the real you?
@robcorr Same issue has with people using similar handles to push crypto-scams, etc., really.
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!