Post · bonfire.cafe

Added new requirements to FEP-fe34:

https://codeberg.org/fediverse/fep/pulls/672

Previously the FEP put the burden of C2S validation solely on the originating server (producer), but I think it would be better to do corresponding security checks on the consumer side too:

- When fetching an object: verify that Content-Type includes one of the AP & AS media types.
- When verifying a signature: also perform same-owner check and verify key ownership.

Both are already considered good practices in the Fediverse.

I also attempted to clarify how fetching from origin (authentication) is related to access control (authorization).

#fep_fe34

silverpill

@silverpill@mitra.social replied · 2 months ago

@tesaguri What do you think about the recommendations given in FEP-fe34? ^

GHSA-jhrq-qvrm-qr36 is written as if Mastodon is guilty, because it didn't check Content-Type header. However, I think we should blame the servers that failed to validate uploaded documents, because it is their actors get impersonated.

tesaguri 🦀🦝

@tesaguri@fedibird.com replied · 2 months ago

@silverpill Actually I didn't think Mastodon was to blame either. I asked them to word the GHSA that way only because my report to the editors of ActivityPub spec was not public yet so I was not comfortable to publicly call it as a problem of AP in general.

Emelia

@thisismissem@activitypub.space replied · 2 months ago

Re: Added new requirements to FEP-ef34:

I'll have to give this a full read later, but I think this would be a good candidate for the newly formed ActivityPub API taskforce (it's still being fully setup, but Evan and myself are the co-leads on it)

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.0 no JS en

Automatic federation enabled