- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Sat, 12 Apr 2025 09:44:53 +0200
- To: "public-swicg@w3c.org" <public-swicg@w3c.org>
- Message-ID: <CAKaEYhLLQnJrMBJbacVfW8JEho1eUiapV4UnF84NfzeOR5UXXA@mail.gmail.com>
Hi All, There’s a major security issue in the way most ActivityPub implementations work today: private keys are typically stored on the server, often in plain text or with minimal protection. This means: - Server admins or attackers can fully impersonate any user. - There is no real cryptographic boundary between the user and their instance. - *End-to-end encryption is fatally compromised* — servers can decrypt or forge "private" messages. - *Any financial use of ActivityPub (tipping, payments, tokens) is wide open to theft*, since servers hold the keys that authorize transactions. When the original Working Group formed, we didn’t yet know how implementations would evolve. But now that we do, we can’t keep saying that insecure defaults are a feature, not a bug. This is a core flaw that undermines the promise of secure federation. If a new Working Group is formed, security issues such as this* need be acknowledged and addressed* — including exploring models where users control their own keys, not the servers. Looking forward to hearing thoughts, Melvin
Received on Saturday, 12 April 2025 07:45:09 UTC