Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.

  • solrize@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    ·
    11 months ago

    I still could use an ELI5 about what this authorized fetch feature was supposed to do. Was it supposed to basically disengage the Mastodon network from Threads? To stop Threads crap from showing up on Mastodon? Or to stop Mastodon discussions from showing up in Threads? Or something different?

    • Kierunkowy74@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      11 months ago

      Authorised Fetch existed long before Instagram Threads. When it is turned on, an instance will require any other server to sign their request to fetch any post. This prevents “leaking” of posts via ActivityPub to blocked instances.

      This setting is turned off by default, because some software are incompatible with it (like /kbin, Pixelfed before June 2023, maybe Lemmy too), because it makes server load higher, and it may make some replies missing (at least on microblogging side).