[tantek]I don't think it's right about "only once per instance". plenty of sites (including http://indieweb.org) would be able to handle that just fine
[tantek]I think what's *actually* happening is people's individual Mastodon native mobile clients are requesting & generating the previews and THAT is the cause of the DDOS
[aciccarello]I assume http://indieweb.org is cached well so less of a problem for that site. But there were a couple articles this week about the problem for other sites.
[tantek]to-do << ^ re: [[thundering herd]] / Mastodon in particular: https://gist.github.com/renchap/3ae0df45b7b4534f98a8055d91d52186 (though seems to omit that what may actually be happening is people's individual Mastodon native mobile clients are requesting & generating the previews and THAT (millions of clients) is the cause of the DDOS, not "1000 instances")
sknebelfor me this is like yeah it'd be nice if they find a good model to mitigate it, but if your site falls over from it any scraper going wild or a bored teenager with a laptop can take your site down too
sknebel(and talk about "request amplification factors" are IMHO misplaced because it's actually work to setup to a point where you can make use of that and then the fediverse is just to small to make a dent compared to actual (D)DoS attacks
[tantek]And then defer actual access to other sites to clicking on a link that takes you to a browser that already has lots more privacy precautions built in
[tantek]What's ironic about that gist is that it's ignoring all the existing properties (in AS2 etc) that are already part of the "activity" that serve the role of "preview data"
[tantek]But folks are so cargoculting with OGP = link preview that they're not bothering to step back and ask what is they're actually trying to implement for the user
aaronpkwell the classic debate is whether you want to trust the information from the server where the post is coming from or the actual website that is being linked to
[tantek]That whole "not trust the source" reasoning is dumb because "the source" is what "pushed" the whole activity into your inbox in the first place 🤦♂️
sknebelwhich in centralized systems is based on "I trust the platform to not randomly fake link previews", and on mastodon is then translated to "I trust *my* instance to not fake link previews"
sknebel(now you could argue that not faking previews should just merely be a social code a la "if we catch your instance lying about a preview we'll defederate it", but that's also messy so it makes sense to instead have the instances fetch independently)
[snarfed]sure we can always say git good, provision your server better, etc...but the fact remains that getting linked from a popular fediverse user still often did hurt linked web sites, and that's a real problem, _especially_ if it stays a problem for years and makes publishers end up saying "don't share links on the fediverse" loudly
[snarfed]a different angle is, this specific problem doesn't happen with feed readers, centralized social networks, Bluesky, etc. it's a relatively fediverse-specific drawback. which isn't great
[tantek]ladies & gentlemen & other gentlegenders, this is why we use #indieweb-chat to make wiki edits with < < that include GH issue/PR links. don't be like me, be better
[tantek] to-do << ^ re: [[thundering herd]]: https://retro.social/@ifixcoinops/112371546841657620
Loqi ok, I added "^ re: [[thundering herd]]: https://retro.social/@ifixcoinops/112371546841657620" to the "See Also" section of /to-do https://indieweb.org/wiki/index.php?diff=94838&oldid=94834 
[KevinMarks] this states the problem well to https://gist.github.com/renchap/3ae0df45b7b4534f98a8055d91d52186
[aciccarello] there are also lots of people with individual (1 person) instances
[snarfed] yup. lots of these points and discussion were in the github issue(s), aaronpk maybe that's what you're thinking of. https://github.com/mastodon/mastodon/issues/4486