Phishing Mitigation for Mastodon.social

When a person is already logged into a mastodon instance, if they visit some pages on their instance associated with a user from another server, they are not redirected to the remote server because it is easier to interact with the remote user with their existing local session. However, if a person without an account is just visiting or they have an account but are logged out, mastodon redirects them to the remote server presumably because mastodon doesn’t know whether they have a local account and visiting the remote server will have the complete and authoritative data for that remote user.

A welcome update to mastodon.social (included in 4.3.0-nightly) is a warning presented to visitors or logged out users before mastodon redirects them to a remote server for the original page. The code for Add confirmation when redirecting logged-out requests to permalink is particularly relevant to mastodon.social compared to other fediverse instances as mastodon.social has become a relatively big target for phishing. It’s a good bet that if someone is navigating the fediverse that their account is on mastodon.social. So, if an arbitrary victim is logged out of their mastodon.social account and visits a mastodon.social page belonging to the attacker, prior to this mitigation, mastodon.social would automatically redirect the victim to the attacker’s page which might be a fake login form to trick the victim into submitting their login credentials to the attacker’s site. Unfortunately, a significant percentage of people will submit the form.

One could imagine mastodon.social maintaining a list of trusted servers for automatic redirects but that would be an undesirable hornet’s nest and it’s not a bad thing when web surfers are conscious of the trust boundaries on the web.

Winer's Law of the Internet

Something to keep in mind as big tech connects to the fediverse is Winer’s Law of the Internet which ends with

The large companies always try to make the technology complicated to reduce competition to other organizations with large research and development budgets.

This is 20 years old but it has stood the test of time.

Otisburg.social move post-mortem

I moved my account from @herestomwiththeweather@mastodon.social to @tom@herestomwiththeweather.com on January 2nd. In the spirit of learning from post-mortems, I am documenting a few mistakes I made.

One of the main motivations for the move was that over a year ago, I had configured webfinger on this site to point to the account I had on mastodon.social. But once someone has found me on mastodon, I would from then on be known by my mastodon identifier rather than the identifier with my personal domain. If I lost access to that particular mastodon account for whatever reason, I would be unreachable by that mastodon identifier. However, as I described in Webfinger Expectations, if my webfinger configuration points me to a server that will allow me to participate on the fediverse with my own personal identifier using my own domain, then in theory, if I lose access to the account on that server, I can swap it out with another similar server and be reachable again with my personal identifier. So, last week I moved to Otisburg.social which is running what I consider a minimum viable activitypub server called Irwin. As it is experimental, I am the only user on the server.

So what did I screw up? I didn’t plan for two things. Both are related to the diversity of software and configurations on the Fediverse.

First, although I was vaguely aware of the optional Authorized Fetch mastodon feature, I didn’t anticipate that it would prevent me from re-following some of my followers. Prior to the migration, I assumed this feature would not be enabled on any of the servers the people I followed were using. I quickly realized that I could not re-follow people on 3 servers which had this feature enabled. So, I lost contact with the people on those servers for a few days until I fixed it by also signing GET requests in addition to POST requests.

Second, I didn’t adequately prepare for the possibility that some of my followers would not automatically move to the new server. Of 96 followers, I had about 15 that did not successfully re-follow. It seems that some of these failed because they were not on a Mastodon server and their server did not adequately handle the Move activity sent by mastodon.social. Unfortunately, although mastodon allowed me to download a csv file of the people I followed, it did not provide a link to download a file of followers so I don’t know everyone I lost during the move.

Otherwise, the move went well and it is a great feature and I’m glad to see an effort underway to standardize it.

One unresolved issue is that when someone visits my profile on a mastodon site, selecting “open original page” will fetch https://otisburg.social/actor/tom@herestomwiththeweather.com and the user would expect to see my status updates or toots or whatever you call them. However, currently that url redirects to this website and activitypub status updates are not available here.