We’ve criticized the security and privacy mechanisms of Mastodon in the past, but this new development should be eye-opening. Alex Gleason, the former Truth Social developer behind Soapbox and Rebased, has come up with a sneaky workaround to how Authorized Fetch functions: if your domain is blocked for a fetch, just sign it with a different domain name instead.

How did this happen?

Gleason was originally investigating Threads federation to determine whether or not a failure to fetch posts indicated a software compatibility issue, or if Threads had blocked his server. After checking some logs and experimenting, he came to a conclusion.

“Fellas,” Gleason writes, “I think threads.net might be blocking some servers already.”

What Alex found was that Threads attempts to verify domain names before allowing access to a resource, a very similar approach to what Authorized Fetch does in Mastodon.

You can see Threads fetching your own server by looking at the `facebookexternalua` user agent. Try this command on your server:

`grep facebookexternalua /var/log/nginx/access.log`

If you see logs there, that means Threads is attempting to verify your signatures and allow you to access their data.

This one weird trick allowed him to verify that, while his personal instance wasn’t blocked, more than a few of his communities were: Spinster, Neenster, Poast, and the Mostr Bridge are all reportedly blocked domains. While Alex isn’t directly involved in all of these projects, they have benefited from his development and support, providing spaces for bigoted speech to grow and spread.

What’s interesting is that Threads itself has been reportedly lax on policies pertaining to transphobia and hate speech, so the blocks are something of a surprise. Accounts such as Libs of Tiktok remain active, widely followed, and unbanned on Threads.

Block Evasion

To get around the block, Alex found that it’s possible to sign fetch requests with a different domain name entirely, using an A record that points back to the receiving instance.

Meta seems to be betting on the fact that people have played nicely in the past, but I for one am not going to let them have their way. I am going to ensure the data they publish remains free and open to all…

Tools to work around Authenticated fetch are being shipped with new versions of Fediverse software. Censorship by Meta will create a continued need for this industry to grow.

While this is being framed as a freedom of access / freedom of speech issue, in an almost David vs Goliath kind of fight, the real problem here is that there’s now an established way to circumvent the flimsy user protection that Mastodon popularized, which is really bad for the vulnerable communities using it.

What Now?

Look, Mastodon has been providing a half-measure to its users for years. Now it’s the time to make things right: going into 2024, I think it’s going to absolutely be a requirement to develop more robust forms of privacy options and access controls to empower users.

Bonfire is doing an incredible amount of research focused on this very problem, and Spritely has put forward some groundbreaking work on Object Capabilities in the recent past.

 Share