Today I was fortunate to have my picture taken with Morris Lukowich during Hockey Day in Houston at Saint Arnold Brewing. The best hockey games I have ever watched in-person were the 1977-78 Houston Aeros. The WHA All-Star game was in Quebec City on January 17, 1978 and for the picture I believe it is Lukowich’s All-Star jersey from that game that I have borrowed.
When a person is already logged into a mastodon instance, if they visit some pages on their instance associated with a user from another server, they are not redirected to the remote server because it is easier to interact with the remote user with their existing local session. However, if a person without an account is just visiting or they have an account but are logged out, mastodon redirects them to the remote server presumably because mastodon doesn’t know whether they have a local account and visiting the remote server will have the complete and authoritative data for that remote user.
A welcome update to mastodon.social (included in 4.3.0-nightly) is a warning presented to visitors or logged out users before mastodon redirects them to a remote server for the original page. The code for Add confirmation when redirecting logged-out requests to permalink is particularly relevant to mastodon.social compared to other fediverse instances as mastodon.social has become a relatively big target for phishing. It’s a good bet that if someone is navigating the fediverse that their account is on mastodon.social. So, if an arbitrary victim is logged out of their mastodon.social account and visits a mastodon.social page belonging to the attacker, prior to this mitigation, mastodon.social would automatically redirect the victim to the attacker’s page which might be a fake login form to trick the victim into submitting their login credentials to the attacker’s site. Unfortunately, a significant percentage of people will submit the form.
One could imagine mastodon.social maintaining a list of trusted servers for automatic redirects but that would be an undesirable hornet’s nest and it’s not a bad thing when web surfers are conscious of the trust boundaries on the web.
Something to keep in mind as big tech connects to the fediverse is Winer’s Law of the Internet which ends with
The large companies always try to make the technology complicated to reduce competition to other organizations with large research and development budgets.
This is 20 years old but it has stood the test of time.