Re: Major Security Issue with AP: Server-Stored Private Keys in ActivityPub

Thank you for highlighting this Melvin. I agree completely and look 
forward to this being raised as a high priority issue.

It has limited my own ability to deploy social communities based upon 
ActivityPub in an institutional or business context.

Cheers,
Sean

Sean O'Brien
Research Fellow, Information Society Project (ISP) at Yale Law School
Founder, Privacy Lab at Yale ISP https://privacylab.yale.edu


On 4/12/25 03:44, Melvin Carvalho wrote:
> Hi All,
>
> There’s a major security issue in the way most ActivityPub implementations
> work today: private keys are typically stored on the server, often in plain
> text or with minimal protection.
>
> This means:
>
>     -
>
>     Server admins or attackers can fully impersonate any user.
>     -
>
>     There is no real cryptographic boundary between the user and their
>     instance.
>     -
>
>     *End-to-end encryption is fatally compromised* — servers can decrypt or
>     forge "private" messages.
>     -
>
>     *Any financial use of ActivityPub (tipping, payments, tokens) is wide
>     open to theft*, since servers hold the keys that authorize transactions.
>
> When the original Working Group formed, we didn’t yet know how
> implementations would evolve. But now that we do, we can’t keep saying that
> insecure defaults are a feature, not a bug. This is a core flaw that
> undermines the promise of secure federation.
>
> If a new Working Group is formed, security issues such as this* need be
> acknowledged and addressed* — including exploring models where users
> control their own keys, not the servers.
>
> Looking forward to hearing thoughts,
>
> Melvin
>