Has anybody thought about modelling #activitypub with a tool like https://alloytools.org/book.htmlto find potential exploits?
-
Has anybody thought about modelling #activitypub with a tool like https://alloytools.org/book.html
to find potential exploits? Thinking about the spec it’s missing any algorithms for authorization, but I already found a couple of edge-cases that make a server DoSssable or give an attacker the ability to spoof messages … -
? Guest crossposted this topic to General Discussion
-
T tag-activitypub@relay.fedi.buzz shared this topic
-
Has anybody thought about modelling #activitypub with a tool like https://alloytools.org/book.html
to find potential exploits? Thinking about the spec it’s missing any algorithms for authorization, but I already found a couple of edge-cases that make a server DoSssable or give an attacker the ability to spoof messages …@Profpatsch I don't know Alloy, but I tried to analyze how authorization should be done in ActivityPub. The result is this document:
-
@Profpatsch I don't know Alloy, but I tried to analyze how authorization should be done in ActivityPub. The result is this document:
@silverpill does the http signature not contain the domain of the requesting server and if yes, can't it be used to compare origins after the signature check?
-
@silverpill does the http signature not contain the domain of the requesting server and if yes, can't it be used to compare origins after the signature check?
@Profpatsch Yes, the signature contains key ID, from which you can obtain actor ID and perform origin / ownership checks.
-
@Profpatsch Yes, the signature contains key ID, from which you can obtain actor ID and perform origin / ownership checks.
@silverpill I mean ideally we already have a cache from the corresponding server key to its origin, so we don’t have to do a https resolution on every incoming message
-
@silverpill I mean ideally we already have a cache from the corresponding server key to its origin, so we don’t have to do a https resolution on every incoming message
@Profpatsch I believe most implementations do that. My server re-fetches a key only if the cached key is 1 day old, for example.
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login