@thisismissem FYI German @bsi conducted a research re. Mastodon security, these are the findings https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Studien/P486-Codeanalyse/Mastodon-SoM-Blogging-Software.pdf?__blob=publicationFile&v=3
-
@thisismissem
FYI
German @bsi conducted a research re. Mastodon security, these are the findings https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Studien/P486-Codeanalyse/Mastodon-SoM-Blogging-Software.pdf?__blob=publicationFile&v=3announcement reads βAs part of the CAOS 2.0 project, we checked the security features of the Matrix and Mastodon software and informed the developers of critical vulnerabilities.
They have already analyzed the gaps and responded.β:
https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldungen/Projekt_CAOS_20_240702.html -
@sl007 @thisismissem @bsi In addition, the article https://www.heise.de/meinung/Interview-Grosse-Bedenken-auf-Mastodon-zu-setzen-aus-technischer-Sicht-7477138.html also mentions, that the used Redis library does not support TLS.
Surprised this is not mentioned as E8.2
Maybe because there is already an issue about it at https://github.com/mastodon/mastodon/issues/19824
This delay in development is eventually an aftersight, due to resource constraints.
Which reminds us of the general lack of financial support for #maintainers all around #FLOSS land and the impact of this on #security.
-
Emelia πΈπ»replied to Sebastian Lasse last edited by
-
Emelia πΈπ»replied to jon β last edited by [email protected]
@yala @sl007 @bsi is that the redis library in streaming or in rails? Because we've just done a bunch of work on improving that.
Sounds like it's rails due to hiredis, I believe we might be trying to move away from that. Yeah, we have two redis clients: ruby and hiredis, ruby is now default. (looking at 4.3)
-
Emelia πΈπ»replied to Emelia πΈπ» last edited by
@yala @sl007 @bsi we do also have some issues with TLS in the streaming server for postgresql and redis, where you need to provide the certificate and do client / server name verification stuff, which isn't implemented by the underlying libraries: https://github.com/mastodon/mastodon/pull/31667
-
Michael Stancliftreplied to Emelia πΈπ» last edited by
@thisismissem @yala @sl007 @bsi hiredis is still the default in 4.3, but it's possible to switch using https://docs.joinmastodon.org/admin/config/#redis_driver
-
Emelia πΈπ»replied to Michael Stanclift last edited by
@vmstan @yala @sl007 @bsi oooh, I misread this line: https://github.com/mastodon/mastodon/blob/main/lib/mastodon/redis_configuration.rb#L36
-
@thisismissem I didn't know it's a separate Node application, instead of another Rails command.
Given the few files and possibly LoC in streaming/ of the repo, wouldn't this perform even faster with using a compiling language? Probably not worth the effort.
Unfortunately there's no README in that directory, which could help explain what this implementation does and how it is being used.
This link is a bit short on details, but no other place in the docs mentions it
https://docs.joinmastodon.org/methods/streaming/#streaming-server
-
@yala yes, eventually having the streaming server written in something like Go or Rust would be nice (I forget which the Mastodon team preferred), however, it's about 4000 LoC and the functionality wasn't well defined and there isn't good unit or integration test coverage.
Most of my work in the Streaming server over the 20 months has been to refactor the code to make it possible to rewrite later to another language.