I was recommended to share this article I wrote a few days ago on here, too; so here we are!

The TL;DR is “link embed fetching communes” as a partial “fix” to the issue (pretty buzzwordy, sorry for that)

  • Zak@lemmy.world
    link
    fedilink
    English
    arrow-up
    22
    ·
    6 months ago

    The proposed solution of an intermediate server caching embeds is needlessly complex. The first server a link is posted to can fetch the embed, then push it out to every server receiving the post.

    • punkyblob@lemmy.blahaj.zoneOP
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      1
      ·
      6 months ago

      Actually an interesting point. My immediate concern with that idea is that it would open the door for disguising things for what they aren’t. The solution was made from the general caution of not trusting remote servers regarding content they not necessarily control.

      But yes, that would definitely be a solution, too.

    • Skull giver@popplesburger.hilciferous.nl
      link
      fedilink
      English
      arrow-up
      9
      ·
      6 months ago

      Without some kind of signature scheme, this can easily be abused, though. The first server to fetch the embed can put just about anything in there when it pushes that embed to other servers.

      • catloaf@lemm.ee
        link
        fedilink
        English
        arrow-up
        7
        ·
        6 months ago

        The first server should be the one it was posted to. Then federate the embed just like the post itself.

        If a server is malicious, it doesn’t matter if that malice is transmitted in the post or in the embed, it should be defederated just the same.

        • Skull giver@popplesburger.hilciferous.nl
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          6 months ago

          Sharing Federated content in general works like that. However, the originating server will still receive an onslaught of HTTPS requests of remote servers fetching the signing key used to sign the federated message.

          “Just defederate” is not a real solution. I’ve observed malicious behaviour on all major Lemmy, Kbin, and Mastodon services, and even more on smaller services like personal Mastodon servers.

          • Zak@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            1
            ·
            6 months ago

            In this case, generating fake excerpts is not something a user on a server controlled by someone else can do; they have to operate a malicious server themselves. Defederation is a good solution to malicious servers.

            Certainly someone very determined could spin up a bunch of malicious servers and put out a bunch of posts containing fake excerpts, but they’d need followers to get any reach on the microblog side of the fediverse. They could spam Lemmy communities, but users would notice and downvote/report the posts.

            So I think “just defederate” probably is an adequate solution here, at least as things currently sit. Were the fediverse to grow by an order of magnitude, I think it would need a reputation system to add a bit of friction to a brand new server or user getting a lot of reach quickly.

            • Skull giver@popplesburger.hilciferous.nl
              link
              fedilink
              English
              arrow-up
              2
              ·
              6 months ago

              ActivityPub doesn’t require followers, it’s a push-based protocol. You can tag a user, and your post gets embedded in the remote timeline. The lack of the ability to cut down on notifications is actually one of the problems many of the more popular fediverse accounts often talk about.

              One could implement a sort of “I trust your supposed representation but only if the recipients follow you” approach, but then you’ll need to explain to users why sometimes link previews work and why sometimes they don’t.

              This issue could still be prevented entirely in a whitelisted federation model where hacked servers get defederated immediately, but I don’t think that’s a particularly popular model within ActivityPub circles.

              There are a few reputation systems out there, but they have the exact same problem email reputation services have: your small server will never be able to exchange messages with the four or five largest servers because there’s no way for you to build up a reputation in the first place, and a 30 minute hack can make your domain completely unusable.

      • Rimu@piefed.social
        link
        fedilink
        arrow-up
        5
        arrow-down
        2
        ·
        6 months ago

        Not all servers are equal. I would trust a post from lemmy.world or lemmy.ml to have valid metadata, for example. It’d be great if admins had some way to specify trusted instances (with the biggest 6 instances as initial defaults).

        There would be other uses for the trusted instances concept. Automatic sharing of moderation actions, block lists, community lists, etc

        • Skull giver@popplesburger.hilciferous.nl
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          6 months ago

          That kind of centralisation is exactly what the Fediverse was built to prevent. What’s the point of decentralising if you’re going keep a whitelist of servers and break link previews for all other users? I would certainly keep that feature disabled.

          • Rimu@piefed.social
            link
            fedilink
            arrow-up
            2
            ·
            6 months ago

            Link previews for content from untrusted instances could still be generated just as they are now.

            The centralisation that has happened is a separate issue.

  • andyburke@fedia.io
    link
    fedilink
    arrow-up
    16
    ·
    6 months ago

    How is this not a caching issue on the linked server? Serving the same info up over and over from memory should be incredibly fast.

    Are their pages dynamic and filled with ads and stuff or something that makes this a problem?

    • chiisana@lemmy.chiisana.net
      link
      fedilink
      English
      arrow-up
      17
      ·
      edit-2
      6 months ago

      If you’ve skimmed over the original publication, it is actually worse: it is a non problem. Other users have pointed out already: ~100MB served over 5 minutes period is quite literally nothing for even one small VPS serving the content independently, let alone a site with CloudFlare in front like they claim to have.

    • erlend_sh@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      ·
      edit-2
      6 months ago

      This is certainly not spam but rather a blog response, a time honored practice as old as blogging itself.

      OP’s article links to the source article (albeit via its fedipost rather than its blog post; maybe best to link both) and contributes to the online discourse with a long form reply, detailing a possible solution.

      Mischaracterizing such a clearly well-intentioned contribution as “blog spam” is disingenuous.

      edit: thanks for retracting your comment. I hope my retort won’t dissuade you from continuing to engage in this community :)

    • punkyblob@lemmy.blahaj.zoneOP
      link
      fedilink
      English
      arrow-up
      11
      arrow-down
      1
      ·
      6 months ago

      How is this blog spam if it provides an approach on how to fix it (next to a recap)? I just put it on there because I collect stuff there.

      But yeah, whatever, Lemmy is an interesting place.

    • ThillyGooth@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      6 months ago

      This is not spam. The blog post discusses a current hot topic. There’s no advertising on the site. OP has nothing to gain by sharing this. Don’t make people hesitate to post quality content just because the topic has been discussed elsewhere.