Pixelfed leaks private posts from other Fediverse instances

I enjoyed reading this. Admittedly I&#x27;m very new to the activity pub protocol, but it&#x27;s hard to grasp at first how this leak actually occurs.<p>I read this part of the activity pub spec and I think I get it, but not completely. So it is really up to the activity pub server implementation to strip the bto&#x2F;bcc audience fields and do the &quot;right thing&quot; in order to preserve privacy? Could anyone shed some light on this?<p><a href="https:&#x2F;&#x2F;www.w3.org&#x2F;TR&#x2F;activitypub&#x2F;#remove-bto-bcc-before-delivery" rel="nofollow">https:&#x2F;&#x2F;www.w3.org&#x2F;TR&#x2F;activitypub&#x2F;#remove-bto-bcc-before-del...</a>

There was an interesting follow-up to this post that adds more context to the incident and problem space: <a href="https:&#x2F;&#x2F;lemmy.world&#x2F;post&#x2F;27522773" rel="nofollow">https:&#x2F;&#x2F;lemmy.world&#x2F;post&#x2F;27522773</a>

The real meat<p>&gt; The problem only becomes apparent when you have at least one legit accepted follower from a Pixelfed server. Now that server is allowed to fetch all your private posts. And when it knows the posts, it has to decide who to show them. When you accept a follower, you not only place your trust to keep a secret on them, but also on their admin and the software they are running.<p>Like I get it, compromises had to be made due to cacheing because it would be untenable if the same server had to fetch a single post hundreds of thousands of times but this makes activitypub an extremely high trust protocol between servers.

ActivityPub just hands out &quot;private&quot; posts and trusts the foreign server implicitly to only show them to the right users.<p>But it&#x27;s pixelfed&#x27;s fault

This really sounds like a problem with ActivityPub if it doesn&#x27;t have a protocol-level mechanism for this. The idea that an incomplete AP implementation is less secure than a complete one is worrisome to say the least.

&gt; the release dropped. While the version increment (v0.12.4 to v0.12.5) implies a minor update, it’s a huge leap. We’re totalling more than 450 commits, including the requirement of a new version of PHP<p>yeah this is not a great way of doing things (even for solo devs)

So wait. You have a federated protocol that trusts and expects <i>every instance</i> to enforce a user privacy setting?<p>That is, put simply, utterly incompetent shitty design.

This would be solved with encrypted messages. I&#x27;m sure dansup can figure this one out, we just need keypairs at the user level.