Security checklist before releasing a Fediverse application

This is meant as a collection of “MUST” requirements that should exist for a Fediverse server. This post is a wiki, so feel free to add to the list.

• Renaud Chaput: "I would encourage every Fediverse software projec…" - Oisaur

“dead-man switch" on registrations: if nobody with moderator permissions has been active in the last week, then disable new account creation.

Not sure if this is relevant or not, but some of the criteria I proposed for a fediverse integrity FEP might belong on this list?

Something like “allowed_private_ip_addresses”, see Configuring your environment - Mastodon documentation

If one just disables private ip addresses, testing becomes hard, and I will bug you:

• Enable setting the port and allowPrivateAddress through environment vars by HelgeKrueger · Pull Request #53 · dahlia/hollo · GitHub
• #71 - Question: Can one allow local IP federation in the config? - silverpill/mitra - Codeberg.org

100% there is a necessity to be able to allow certain IP addresses or ranges to be accessed despite being private IPs, e.g., for internal networks and non-federated deployments, such as those used for research and testing.

It should not just be a boolean, but explicitly a list of allowed IP addresses or IP ranges that can bypass the SSRF filter.

This is a good question. I think no, but I have not clarified the original post enough. I imagine this a list of MUST requirements, so that the server does not pose a risk to the Fediverse.

Examples

• Consider a server that enables people to send spam => BAD for the network
• Consider a server that changes its client API every Monday => Horrible for users, as the application is probably unusable on Mondays and Tuesdays. Fortunately, it has no effect on the rest of the Fediverse. So no real harm is done. The application will suffer a slow and painful death if it was otherwise quite good.

Maybe, a better name would be “security checklist before releasing a Fediverse application”. However, I’m still collecting. So it will take some time.

I’d suggest changing the thread title to that. It certainly makes it clearer what your target is

@helge +1. The “security considerations” section of the AP spec is woefully inadequate.

I’d recommend breaking it down into requirements and recommendations, with Renaud’s suggestion perhaps being the latter.

I have a list in my AP developer guide: feps/d85d/fep-d85d.md at main - silverpill/feps - Codeberg.org (though it is not solely about security)

One should check timestamps on posts

One should sanitize public keys

The last one might also belong to For Fun: Let's collect ActivityPub Activities that amuse us

—destructive, non-reversible changes should always have multiple safeguards—

The context here is the “Block domain” feature of mastodon

Screenshot 2024-11-21 at 08-19-27 Hrefna (DHC) @puppygirlhornypost2 If it was… - Mastodon408×663 35 KB

My understanding is that if I click that button and followed several people on hachyderm.io, all relationships would be severed (I’m not going to spam people to test it).

This should be considered an obvious foot gun as one should probably warn with something like:

“Blocking hachyderm.io will sever your relationship with @alice@hachyderm.io and @bob@hachyderm.io”

This additional amount of friction would probably remove some of the “blocking is evil” discourse. As people would be more cognizant of the consequences of their actions.

See also: petersuber: "I accidentally blocked a whole #Mastodon instance…" - FediScience.org