Mastodon PSA, mostly for admins
Mastodon has a thing called AUTHORIZED_FETCH. You should almost definitely enable it.
Some people say "but blocked instances can still see my posts" well not with this thing on. This makes server check who is trying to get your posts and will yeet all the blocked instances. That's what all modern software just assumes but it prevents Scaling (and relays) so it's not on by default.
https://docs.joinmastodon.org/admin/config/
If you are on masto.host you can ask this to be enabled.
@charlag
Authorized_fetch makes it impossible for simple AP implementations to fetch toots; without providing much benefits.
Unless you whitelist instances; any blocked instances can get around the block by pretending to be a new instance.
@val well good luck setting up new keys and domains all the time.
I *hate* techbro-ey take on this. "Without much benefit" and "oh it's not perfect so it's useless". That's why it took years to get any security measures, because people are up their ass and don't understand that non-perfect measures can work very well.
@charlag malicious instances does not need to "set up new keys and domains all the time"; they just need to do it once for a domain that never sends anything.
Mastodon does not have the tools to find which of the thousand domains it federates with is leaking toots.
fuchsiaaaaaaaaaaaaaaaaa
@val @charlag nothing is perfect but this takes active harmful effort as opposed to just sharing your post around all the vanilla instances you blocked, which makes a huge difference (no more shadow threads of fash replying to eachother under your posts, unbeknownst to you).
If an instance is actively circumventing stuff like this there's infinite other ways to do so as well.
