mastodon PSA 

The admins of instances where you have followers can read your followers-only posts. They can read your DMs to people on their instances. Not via the web UI, but they have database access.

This is not a bug, this is the trust model that Mastodon uses: you have to trust admins of instances you interact privately with to not read your posts.

(The bug going around is a bug because it doesn't involve a malicious admin, and it leaks data to a non-admin.)

mastodon PSA 

To be clear, this is still a better situation than centralised platforms: if you don't trust Twitter, then you cannot use the platform at all. The only way to defederate from the Twitter admins is to delete your account.

Show thread

mastodon PSA 

Mastodon does encrypt your posts between clients (browser/app) and Mastodon servers. It also encrypts your posts between your Mastodon server and other Mastodon servers. But your post is decrypted and re-encrypted for each hop.

This provides protection against people other than the admins of the servers reading these messages (your ISP, other people on your WiFi network, the CIA, etc.), but not the admins.

For that, Mastodon would need to implement end-to-end encryption.

Show thread
Follow

mastodon PSA 

With end-to-end encryption, your client would encrypt your post so that only the intended recipients can decrypt it before sending it to your Mastodon server. It remains encrypted until it reaches the client of your intended recipient, who then decrypts it and reads it.

This adds a lot of constraints to a system, and is not easy to implement. I'm not going to pretend to be an expert on it, so here ends the thread, lol

Sign in to participate in the conversation

Hometown is adapted from Mastodon, a decentralized social network with no ads, no corporate surveillance, and ethical design.