How much of fediverse security is just like… reacting in the moment when there is a problem and hoping that you don't break everything?

How much of fediverse security is just like… reacting in the moment when there is a problem and hoping that you don't break everything?

@hrefna how is this different from normal security at a lot of places?

like... wordpress security

or twitter security

or IRC security

or matrix security

There's an entire story here, but it isn't the one that I think most people will analyze.

https://socialhub.activitypub.rocks/t/apparently-there-is-a-way-to-get-to-know-the-fediverse-instance-hosting-ip-even-if-we-are-behind-proxy-like-cloudflare-can-it-be-improved/3986

This needs to start with "what is your threat model" followed by an analysis of how your system interacts.

The topline result: If you want to obscure your IP address, simply proxying via cloudflare is not going to do that for you

The actual problem: If you want to obscure your IP address, you need to be thinking about how features like signatures interact beforehand

@risottobias It's night and day different.

Just to start with: Matrix has an entire documented threat model (https://spec.matrix.org/v1.6/appendices/#security-threat-model) and makes decisions consistent with that model.

I can tell you what they care about, what mitigations are in play, and that they've thought about this sort of question in some depth.

You also need to think about _every outgoing connection_ and whether it reveals anything.

This was my same comment as the idea that "hosting media locally is to prevent clients IP addresses from leaking."

Which is fine but if that's what you care about then local media caching is neither necessary nor sufficient, and we need a much deeper conversation about what it means to hide that information because that's not the only spot where that information will leak.

@[email protected] I think by default any sort of software doesn't get built with an expectation that the origin IP will not be leaked. You can't really enforce that easily unless you're in control of the entire deployment stack.

For example, I create forum software for others to deploy. I can ask they they run all their outgoing requests through a proxy, but I can't enforce that.

Leading a horse to water, and all...

@julian Yeah, this is my assumption as well. There's very little you can do to force this matter, and there's a lot of complexity in preventing server software from revealing this, so it isn't something your software can assume.

You can make it easier to hide that information, you can make it easier to use proxies etc, but you can't expect the software to do this for you. Installed software simply operates at the wrong level for that.