Notices by Terence Eden (edent@mastodon.social)

Mastodon enforces a "noreferrer" on all external links.

I have mixed feelings about that.

As a blogger, I want to see *where* visitors are coming from. I also like to see (and sometimes join in) with the conversations they're having.

But, I get that people want privacy and don't want to "leak" where they're visiting from.

Is it such a bad thing to tell a website "I was referred from this specific server"?

Two years later.

Want to know one of the major reasons Mastodon didn't catch on with journalists and large website owners?

It is *invisible* in referrer statistics.

Here's my blog from the last month.

BlueSky now sends me more traffic than Bing.

How much traffic does Mastodon send? It is impossible to know due to the "noreferrer" header in all links.

(I'm not saying your privacy isn't important. But you can't grow a community if no-one knows you exist.)

This #Caturday, I'm remembering Busby - the Dark Terror.

https://shkspr.mobi/blog/2020/11/a-visitation-of-long-gone-cats/

@Gargron ah! The actor, not the WebFinger?
Thanks.

What are the *technical* steps behind moving a Mastodon account?

I understand how to do it from a user perspective (https://docs.joinmastodon.org/user/moving/#move) but what does the new server need to do?

Is it as simple as adding an "aliases" to the webfinger?

#MastodonAPI #ActivityPub

@foone I built one 😄
https://shkspr.mobi/blog/2020/09/a-floppy-disk-mp3-player-using-a-raspberry-pi/
It was impressively awful.

@Gargron @bruno Interesting! It's always fun to see what happens to early posts. I've got some on Twitter which have been badly mangled over the years.

Is there a good way to convert embedded Tweets into static content?

I've got loads of Twitter content embedded on my WordPress blog. For obvious reasons, I'd like to reduce my reliance on Twitter's API.

Does anyone have a tool that I can feed a URl and it will give me an image of a Tweet + alt text?

(Looking for personal experience. I know how to use a search engine.)

Here's a list of everyone standing for election who has a Mastodon account:

https://candidates.democracyclub.org.uk/numbers/election/parl.2024-07-04/completeness?has_mastodon_username=yes

Only 11 candidates so far.

If you know of any others, please add it to their candidate page.

If you know of anyone standing, please encourage them to join the Fediverse.

#UKPolitics #GE2024

It *is* a genuine notification. But it isn't confirming the bank is calling you.

Should the bank word that differently?

In a rush, would you read it thoroughly?

Most likely, in a panic about the fraud, you'd confirm it was a genuine notification (it is!) and accept it.

3/3

The scammer is on the phone to you.
Their accomplice is on the phone to your bank, pretending to be you.
Your bank send you the notification.
You accept, and scammers proceed to drain your account.

Someone has just lost £18,000 because of this.
https://www.reddit.com/r/UKPersonalFinance/comments/1cih3kd/been_scammed_over_18000_through_my_chase_account/

2/3

You receive a call on your phone.
The caller says they're from your bank and they're calling about a suspected fraud.

"Oh yeah," you think. Obvious scam, right?

The caller says "I'll send you an in-app notification to prove I'm calling from your bank."

Your phone buzzes. You tap the notification This is what you see.

Still think it is a scam?
1/3

Wondering what the world would look like if we implemented "Universal Basic Website".

Entitle everyone to their own domain, a few GB of space, the ability to run simple apps / blogs / etc.

What does the world look like if people aren't beholden to Flickr / Facebook / Google Photos to share their family albums?

#UBI

@erincandescent @evan @Gargron

I'm sorry if I'm being thick (and feel free to tell me) - but...

I get a signature with a keyID of `evil.com/evil#sig`

I get the public key from evil.com

I verify the time, digest, and signature all match.

The body of the message says actor example.com/edent Creates...

When / how do I then check that edent's public key is the same as the one in the keyID?

@Gargron @evan
I see. So both need to be verified?

Or, to put it another way, the location of the key should be taken from the actor, not the signature header?

Another #ActivityPub question about verifying signatures.

A header contains:
`keyID="example.com/user/1#main-key`

But the body of the message might have:
"actor": "example.com/user/2"

How do I check that that message has been signed by the actor in the body?

The URls might not be in the same format. So I guess back to webfinger to request the key from the actor - ignoring the one provided in the header?

🆕 blog! “A simple(ish) guide to verifying HTTP Message Signatures in PHP”

Mastodon makes heavy use of HTTP Message Signatures. They're a newish almost-standard which allows a server to verify that a request made to it came from the person who sent it. This is a quick example to show how to verify these signatures using P…

👀 Read more: https://shkspr.mobi/blog/2024/02/a-simpleish-guide-to-verifying-http-message-signatures-in-php/
⸻
#ActivityPub #cryptography #http #mastodon #security

@evan but how do I test that?

If the keyID is "example.com/keys/123456" that might lead to a fake page which claims to be from the user in the body.

(Feel free to tell me I've overthinking this.)

@Gargron Yet another thing for me to try and fix if I ever get any spare time!

Nerdy #ActivityPub and #oEmbed question.

Why can't I send an "Accept: application/json+oembed" request to a URl to receive the oEmbed version?

Instead, I have to request the full page, look for the <link>, parse that, then request the oEmbed.

Seems inefficient - but am I missing something?