#social 2018-05-03
2018-05-03 UTC
puck1pedia, tantek, cdchapman, Guest84, mahmudov, xmpp-social, fr33domlover, vasilakisfil and cjslep joined the channel
# 
cjslep Hi, I would be curious if others had thought about whether it was possible via ActivityPub inbox forwarding abuse to cause victim servers to spam/DDOS servers (background: https://github.com/w3c/activitypub/issues/295)
cwebber2 joined the channel
# cjslep Reason being: while there is recursive depth protection for looking for linked objects owned by the server, there is no mention in the spec about protecting from too-wide to/cc/audience fields
# cjslep And what also makes me wonder if it had been thought through is that Example 16 is actually one criterion away from a small scale version of this attack vector
# cjslep If so, please let me know what mitigations are recommended! :)
fr33domlover joined the channel
# saranix cjslep: short answer, no. Your server implementation should not do forwards that do not have permission. The discrete permission for this inhubzilla for example is "can forward to all my channel contacts"
# saranix so in your example of popularperson1, popularperson2, etc., only if all of those people gave you permission to post to their channel (like a "forum") will you be able to
# saranix longer answer: yes/probably
# saranix I would imagine that mastodons notion of follower collection might be exploitable as you say
# cjslep OK, thanks saranix. That gives me some ideas of how I want to proceed with my own lib impl. I'm not familiar with the inner workings of mastodon so I can't elaborate there.
cdchapman, KjetilK_ and tantek joined the channel
# nightpool cjslep: saranix: we are not vulnerable in this way because we do not implement inbox forwarding, as documented on https://activitypub.rocks/implementation-report/
# nightpool (inbox:accept:special-forward and friends)
# nightpool you can read more about that here https://github.com/tootsuite/mastodon/issues/5631