thisismissem, 3 months ago

@virtuous_sloth @atomicpoet hey, isn't this your server? Seems like you're serving up third-party posts to users without authentication, not only does this mean privacy issues for those remote users & duplicate content in search indexes, it also importantly means: any illegal content that might rich your instance is now served publicly by your instance on your domain

thisismissem, 3 months ago

@virtuous_sloth @atomicpoet e.g., if CSAM or terrorist content reached your server, you're currently serving it, and having it indexed by search engines, and therefore certainly liable for it.

atomicpoet, 3 months ago

@thisismissem @virtuous_sloth Thanks for the head’s up. I’ve only had one person complain about this, and I purged them from my instance. I also defederate any servers serving CSAM and illegal content. However, since I don’t know who is going to send illegal content until they do it, I’ve taken the step to remove the viewing of content from inauthenticated users.

thisismissem, 3 months ago

@atomicpoet @virtuous_sloth cool, so this issue should be fixed on your server — was this a setting in Pleroma? Maybe there's an issue that needs to be opened up to never serve cached content from remote actors without authentication?

atomicpoet, 3 months ago

@thisismissem @virtuous_sloth Yeah, it's a Pleroma server setting. By default, all posts are public. I have to manually go into MRF to change this.

thisismissem, 3 months ago

@atomicpoet @virtuous_sloth yikes.. that sounds like a terrible default.

boris, 3 months ago

@virtuous_sloth anyone that follows you, their server potentially caches some of your posts on their server

Depending on the server cache settings, it will cache your posts local to their server.

Our own servers cache for 7 days? @mick there's a difference between media and posts I think?

That other server a Pleroma install, a different but compatible ActivityPub microblogging server

@coop

virtuous_sloth, 3 months ago

@boris @mick @coop I get that my posts would be cached on many servers due to followers being on those servers so that they can be added into various timelines.

What is much less obvious is having a pseudo-profile of only my posts under a URL like that. Weird

boris, 3 months ago

@virtuous_sloth

Here's an example link of me on another server https://cosocial.ca/deck/@boris@toolsforthought.social

If you're logged into CoSocial, that will load my profile and you can browse the whole thing.

If you're not logged in, it should redirect to the remote profile (try it in an incognito browser window)

I guess Pleroma doesn't do that, but it SHOULD, precisely because of the indexing thing.

@mick @coop

mick, 3 months ago

@boris @virtuous_sloth @coop right.

That server does behave differently than Mastodon, which won’t display the locally-stored version of your profile to non-local users.

That is rather odd. They’re more-or-less indexing the entire Fediverse for public display.

evan, 3 months ago

@mick @boris @virtuous_sloth @coop that seems kind of nuts. The remote server should probably only show those imported profiles to logged in users, and redirect everyone else. Also, the remote software isn't telling Google not to index those pages.

thisismissem, 3 months ago

@evan @mick @boris @virtuous_sloth @coop that'd be the correct thing to do.

This dramatically increases a server owner's liability otherwise, as any harmful content like CSAM reaching their instance would now be served as if it was from their instance.

The cache is for your users, to make their experience faster, not for the unauthenticated public & for search crawlers