Security isn’t about protecting everything from everything. It’s knowing what you’re protecting from what (and what you’re not protecting). That’s why we use threat models.

An analogy: you don’t protect food from the environment; you protect different types of food from different factors of the environment. You might design a heat lamp to protect the freshness of your dinner but a freezer for your ice cream. What you don’t do is design a heat lamp and assume it’ll protect your ice cream also.


Do you know of any threat models for anything in the fediverse?


@bhaugen On the fediverse, in its current incarnation at least (if we’re talking about ActivityPub), there is no expectation of privacy. Everything is public. I don’t know if there’s a formal threat model of ActivityPub in the spec (it’s been a while since I looked at it).

I don't see any mention of "threat" in the spec. But I assume you know that @cwebber is working on AP-related code that is aimed partly (but not only) at privacy:

Threat model? Sorta informal, list of problems...

@aral @bhaugen ActivityPub, from the spec perspective, *IS NOT* everything is public. That's a common misunderstanding due to the most popular instance being a Twitter clone. But that's false. ActivityPub's origins come from trying to bring email-like private addressing (to the extent email really is private) to the fediverse, with public stuff being a special exception.

And that's not even to consider the current stuff I'm exploring in Spritely, which is taking some of that further.

@cwebber @bhaugen When I said “everything is public”, I meant it in the same way that email is public (it’s a post card, not a letter in an envelope). I should have been more precise: it’s not end-to-end encrypted and thus does not have any privacy guarantees. I believe you’re working on that with Spritely? (Skimmed.)

@aral @bhaugen I am working on that.

It's a common meme though, and it's not just you. I agree that email is not good enough. The thing that annoys me is that there's a lot of imprecision and it sounds like AP is even *less* directed than email (one exception I will agree with is sharedInbox being a problem, but in a sense delivering to specific inbox endpoints is even more direct than email)

@aral still, both email and ap's "privacy guarantee" is the same: your messages will be private to the servers that receive them. that doesn't preclude the "rogue admin" threat model, but it doesn't make either "public" per se.

even if your measuring stick for privacy is e2ee, you're basically making the mistake of equivocating existing implementations with the spec itself. pgp exists for email, but hasn't been done yet for ap. it's like saying xmpp is public despite omemo

@cwebber @bhaugen

Sign in to participate in the conversation
Aral’s Mastodon

This is my personal Mastodon.