#social 2020-02-14

2020-02-14 UTC
ajordan, sl007, jess, cwebber2 and BitBot joined the channel
#
lanodan Trying to federate link previews to avoid each node fetching the data, is Link with "preview" being a Page the right way or it should directly be a Page?
#
lanodan cwebber2: ^
#
lanodan (putting the whole thing into attachment of the Object btw)
#
jaywink[m] lanodan (IRC): there is a good reason to fetch link previews on each node. Otherwise you're trusting the sender about content of a third-party site.
#
jaywink[m] opens all kinds of nice attack vectors on spoofing content of third-party sites
#
lanodan And how is this an issue, link previews are already untrustable
#
lanodan (one could have evil.site look like facebook.com)
#
aaronpk no it's about the other direction
#
jaywink[m] sure but I can't make evil.site look like twitter.com :)
#
aaronpk i could send you a link preview with completely different content than what you click through to see
#
jaywink[m] in the preview
#
lanodan Same shit, OpenGraph isn't trustable
#
aaronpk sure it's not trustable right now, but the difference is the site author makes that decision
#
aaronpk rather than the person linking to the site
#
lanodan It's the same as <a href="//evil.site">facebook.com</a>
#
aaronpk no it's not
#
aaronpk facebook used to let you change the text in a link preview
#
lanodan What's the worst, trusting a post author or having 1000+ nodes all fetching a post at the same time?
#
aaronpk they had to shut it down because people were abusing it
#
aaronpk i don't think it's a good idea to re-create that behavior
#
jaywink[m] > <@irc_lanodan:cybre.space> What's the worst, trusting a post author or having 1000+ nodes all fetching a post at the same time?
#
jaywink[m] depends, do you value scalability or content being reliable
#
lanodan Then I'd rather pull off link previews from pleroma.
#
aaronpk maybe nodes shouldn't be fetching the link preview until they actually need to, such as when someone views the post instead of when the post is created
#
jaywink[m] I'd value content being reliable to users
#
lanodan this isn't scalability, this is not abusing the network
#
aaronpk fetching it when needed would be more like..how browsers work
#
lanodan Also your idea doesn't work since mastodon exists basically.
#
aaronpk the problem is that 1000+ instances of mastodon fetch a link as soon as they become aware of the post
#
aaronpk so maybe fix mastodon instead of adding more crap to the protocol
#
lanodan There is streaming of the timeline so a post is basically considered always viewed by at least one person tbh
#
aaronpk only on popular instances
#
lanodan I'll not fix mastodon, I'll fix pleroma because it does the same shit.
#
aaronpk so sure maybe there's like 50 instances where that's true, but the other 950 would not need to fetch every link to make the preview
#
lanodan Anyway, pleroma does the fetching when the status view is rendered, not the slightest idea what mastodon is actually doing.
#
lanodan So again: Do we just pull off link previews from the fediverse because muh 3rd-party trust or do we pull of this garbage?
#
lanodan Also fediverse allows you do to <a href="//evil.site">facebook.com</a> for fucking ages and still does, only tootsuite/mastodon makes it a bit hard.
#
aaronpk that's a different problem
#
aaronpk the problem with link previews is someone can make it look like there is something totally different on the website
#
aaronpk it's not just a fake link, it's a link *preview*, where the content is faked
#
jaywink[m] probably not the reason to create new problems because other problems exist
#
lanodan The problem of false link preview content already exists anyway.
#
aaronpk because the site author can put whatever they want there?
#
aaronpk that's also different
#
lanodan How is it different? Basically everyone willing to can do it, I've seen it multiple times with tumblr and wordpress thanks to the themes and their editability.
#
aaronpk it's a question of someone els emaking it look like a website has fake content, vs a website owner faking the content on their own website
#
aaronpk very different incentives there
#
jaywink[m] it's different because I can't spoof your site, only you can make your site look like something else
#
aaronpk with editable link previews, 100 people can put fake content on the link preview for example.com, whereas with fetched link previews only example.com can put fake content in the preview
#
jaywink[m] like sending a preview to another node pointing to a Pleroma release post and making the content say "Project is being ramped down"
#
lanodan Have fun: https://queer.hacktivis.me/notice/9s2graE0kggAsFtuwS
#
aaronpk is there supposed to be something there?
#
aaronpk i just get blank space under "Conversation" and there's a bunch of JS errors in the console https://i.imgur.com/vVMsZ0S.png
#
lanodan Ah sorry, my instance is not in public mode, will fix.
#
aaronpk that seems like not a great failure mode :)
#
lanodan Yeah, frontend needs to be fixed.
#
lanodan there fixed
#
aaronpk lol nice
#
jaywink[m] that doesn't change why it's still a bad idea to trust remotely given content previews :)
#
aaronpk indeed
#
jaywink[m] if you have an issue, why create another one?
#
lanodan Also this one can federate, didn't need to hack my instance at all.
#
aaronpk the first reply is an example of one way to counteract that tho
#
aaronpk whatever that client is shows your fake URL
#
jaywink[m] files an issue on Socialhome tracker 😅
#
lanodan Yeah, might need further hacks in the URL like RTL overrides but still.
#
lanodan With this one remote preview or not, you basically get the same thing.
#
jaywink[m] uploaded an image: Selection_504.png (23KB) <https://matrix.cybre.space/_matrix/media/v1/download/federator.dev/nVXPWZNxgJNDGyPYQlXnBPjZ>
#
lanodan Haha even better
#
jaywink[m] adding the domain to the preview is a pretty good mitigation tho
#
lanodan Yeah, will fix this one in mastodon, then I would have to get a domain like joinmastadon.org
#
lanodan Or something fun with unicode in domains
#
lanodan *will fix this one in pleroma (weird brainfart there)