Welcome Guest
Login
Magic Sign-On
Remote Authentication
Home
Magic Sign On
Apps
System Apps
Directory
Help
Language
Random Channel
Report Bug
Search
Tue, 06 Feb 2024 21:41:11 -0600
View Profile
Evan Prodromou
evan@cosocial.ca
It's important that ActivityPub developers include data integrity checks for inbound activities.
Link to Source
show all
7 comments
Tue, 06 Feb 2024 23:12:34 -0600
View Profile
naturzukunft
naturzukunft@mastodon.social
@evan
Hey Evan, can you explain that a bit ?
Link to Source
Tue, 06 Feb 2024 23:35:05 -0600
last edited: Tue, 06 Feb 2024 23:35:34 -0600
View Profile
Scott M. Stolz
scott@loves.tech
Are you talking about making sure that an incoming message is not corrupted, or are you talking about making sure the sender is who they say they are, or both?
Link to Source
Wed, 07 Feb 2024 15:33:44 -0600
View Profile
Jordan
jwf@cybervillains.com
@naturzukunft
@evan
yes! Please elaborate.
Link to Source
Wed, 07 Feb 2024 16:29:22 -0600
View Profile
Evan Prodromou
evan@cosocial.ca
@jwf
@naturzukunft
I'm writing a book about ActivityPub. I am working on the section of the chapter about inbound activities that deals with data integrity checks. I needed an example URL to show the importance of checks. In the book, I use the text, "Data integrity is no big deal, don't bother checking" for this Note.
Link to Source
Wed, 07 Feb 2024 16:38:23 -0600
View Profile
Evan Prodromou
evan@cosocial.ca
@scott
both of those, and also that there are not intentional fibs in there. Naive implementations may suffer from cache poisoning attacks.
Link to Source
Wed, 07 Feb 2024 16:52:12 -0600
last edited: Wed, 07 Feb 2024 16:56:03 -0600
View Profile
Scott M. Stolz
scott@loves.tech
So, basically you would need something like:
1. Verification that the server is who they say they are.
2. Verification that the identity is who they say they are.
3. Some way of checking to see if the message was tampered with en route.
Some possible solutions are:
A. Identity proof via public and private keys or some other method, for both the server and the identity. Do not depend on DNS since the DNS cache can be poisoned.
B. Double encrypt messages. First, the platform encrypts the message, and then it sends that message over HTTPS, which encrypts it a second time.
C. Send a checksum or use some other method for verifying that a message has not been tampered with. (Although, if you double encrypt the message, you probably don't need this.)
Link to Source
Thu, 08 Feb 2024 10:20:25 -0600
View Profile
Jordan
jwf@cybervillains.com
@evan
@jwf
@naturzukunft
apropos of nothing, I am a fairly good proof-reader, and quite knowledgeable about ActivityPub.
Link to Source
Conversation Features
Loading...
Conversation Features
Loading...
Login
Magic Sign On
Local Login
Register
Login
Email or nickname
Password
Remember me
Login
Register
Password Reset
Sign On with Magic Sign On
Sign On with Hubzilla
Remote Authentication
Sorry, you have got no notifications at the moment
.
.
.
{2}
{4}
{2}
{10}