Security isn’t about protecting everything from everything. It’s knowing what you’re protecting from what (and what you’re not protecting). That’s why we use threat models.
An analogy: you don’t protect food from the environment; you protect different types of food from different factors of the environment. You might design a heat lamp to protect the freshness of your dinner but a freezer for your ice cream. What you don’t do is design a heat lamp and assume it’ll protect your ice cream also.
@bhaugen On the fediverse, in its current incarnation at least (if we’re talking about ActivityPub), there is no expectation of privacy. Everything is public. I don’t know if there’s a formal threat model of ActivityPub in the spec (it’s been a while since I looked at it).
@aral @bhaugen ActivityPub, from the spec perspective, *IS NOT* everything is public. That's a common misunderstanding due to the most popular instance being a Twitter clone. But that's false. ActivityPub's origins come from trying to bring email-like private addressing (to the extent email really is private) to the fediverse, with public stuff being a special exception.
And that's not even to consider the current stuff I'm exploring in Spritely, which is taking some of that further.
@cwebber @bhaugen When I said “everything is public”, I meant it in the same way that email is public (it’s a post card, not a letter in an envelope). I should have been more precise: it’s not end-to-end encrypted and thus does not have any privacy guarantees. I believe you’re working on that with Spritely? (Skimmed.)
@aral still, both email and ap's "privacy guarantee" is the same: your messages will be private to the servers that receive them. that doesn't preclude the "rogue admin" threat model, but it doesn't make either "public" per se.
even if your measuring stick for privacy is e2ee, you're basically making the mistake of equivocating existing implementations with the spec itself. pgp exists for email, but hasn't been done yet for ap. it's like saying xmpp is public despite omemo
The original server operated by the Mastodon gGmbH non-profit