Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.
Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.
But isn’t this already the case?
You make a good point about people still in the closet. That’s an excellent use case for privacy. But I still believe that’s a different issue. And I’m fact this is my great concern: people think they have privacy when they dont so they say things that out themselves (as any kind of minority) accidentally, because they mistakenly relied on the network privacy.
You’re right though, it’s not all-or-nothing, but I do think these are two separate problems that can and maybe should have different solutions.
The type of drive-by harassment you describe is by online randos, not in-person. For those situations, is it not enough that you remain oblivious to the attempted harassment? If a bigot harasses in a forest and nobody is around to hear it, did they really harass?
The problem is, there are plenty of other people around to hear it. Everyone else except the harassed person can see it, and on top of that, the fact that harassment is trivial to do, and not policed, ensures that more harassers will come along. Each one having to be blocked one by one by the people they’re harassing, after the harassment has already taken place.
As I said earlier, this is how twitter does things, and there is a reason that vulnerable folk don’t use twitter anymore.
No, it isn’t, because right now, local only posting, follower only posting, authorised fetch, admin level instance blocks etc, all combine to make it non trivial for harassers. If you’re familiar with the “swiss cheese defence model”, that’s basically what we have here. Every single one of those things can be worked around, especially by someone dedicated to harassing folk, but the casual trolls and bigots, they won’t get through all of them. The more imperfect security, anti harassment and privacy options we have, the harder it is for casual bigots.
I’m familiar with the Swiss cheese model and you make a good point.
But even still, I think what we have now is insufficient, has other negative side effects too, and I don’t see a good path to make it sufficient.
I was initially lamenting that social networks currently do a terrible job (dangerously negligent job) setting user expectations wrt privacy (or lack thereof). It’d be nice if social networks were upfront about the lack of privacy, and made the limitations of their tools inherently obvious. Sorry if it seems like I keep shifting goalposts, I keep changing the direction of the conversation as you give me interesting things to think about and discuss.
I’m not suggesting that we copy Twitter’s model for anti-harassment, especially since The Idiot took it over.
I’m suggesting that, rather than just double down on what exists now, you do a thought experiment with me where we explore a radical rethink of anti-harassment, and what it might look like if we don’t try to use privacy tools to accomplish it. I’m not convinced that there is no reasonable solution possible. Although the details would probably depend significantly on the type of social network (for example: microblogging vs reddit-like).