• davel [he/him]@lemmy.ml
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    8 months ago

    Surprisingly, Reddit is NOT on the list.

    If they’re slurping all these other sites, I highly doubt they’re not slurping Reddit, too, even if it’s not on the list.

    Fediverse (likely ActivityPub - possibly DMs between servers)

    They would have to hack the individual servers to get at the DMs, because they’re encrypted in transit. All the public stuff is trivial to scrape.

    • arotrios@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      8 months ago

      They would have to hack the individual servers to get at the DMs, because they’re encrypted in transit. All the public stuff is trivial to scrape.

      Nope, ActivityPub DMs are not encrypted between servers - if it’s on the feed, it’s public- or at least it was as of six months ago. I found this out when I attached a Wordpress site to a Mastodon instance and suddenly found i could read anyone’s DMs to users on other servers. Totally unencrypted. I actually paused development and working with ActivityPub because of it.

      This doesn’t mean that messages to users on the same server are necessarily exposed, but the potential is there if you don’t have a filter for local publishing only engaged on your Mastodon instance.

      • davel [he/him]@lemmy.ml
        link
        fedilink
        English
        arrow-up
        5
        ·
        8 months ago

        ActivityPub DMs are not encrypted between servers

        It is insofar as TLS/SSL/HTTPS encryption is used in transit. That’s what I mean by encrypted in transit.

        i could read anyone’s DMs to users on other servers

        If you’re an administrator for (WordPress) ActivityPub server A, you can see all the DMs coming to and leaving from your server, yes. And they’re not encrypted at rest, so you can read them any time. But how would you see DMs going between server B and server C, when your server isn’t involved in the transaction?

        • arotrios@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          8 months ago

          It apparently scrapes everything on the public feed. So when I subscribed to users on Mastodon server A from Wordpress, DMs from Mastodon server A going to Mastodon server B became visible.

          I had a separate account on Mastodon server A to confirm that I couldn’t see these DMs as Mastodon user on server A, and that the Wordpress scrape was grabbing messages normally not meant for public view.

          This was using the ActivityPub plugin for Wordpress about six months ago.

          EDIT: I should be clear that I was as surprised as the other commentators that the DMs weren’t encrypted and that I could see them at all through a 3rd party software. I did NOT see DMs between local users - only cross-instance.