Hello !

When someone connects to my instances communities, but from another instance, how do I know it’s no spoofing involved?

Cheers

  • Loulou@lemmy.mindoki.comOP
    2·
    1 year ago

    Okay so it’s the lemmt server running my instance that checks it is the right user. Do you know how it is done ?

    I reread your post, so it’s a signature in the http call?

    • 1984@lemmy.today
      31·
      1 year ago

      It’s a https certificate connected to the domain name of the instance.

    • Wander@yiffit.net
      2·
      1 year ago

      It should be a signature that is sent together with the ActivityPub Object. Yes, if the signature doesn’t match, the content, whether a post, comment, favorite, upvote, etc… should be dropped.

      Here is the source code of the library that lemmy uses to handle incoming objects and you can see that it does a call to verify the signature of the actor:

      https://docs.rs/activitypub_federation/latest/src/activitypub_federation/actix_web/inbox.rs.html#18-54

    • mo_ztt ✅@lemmy.worldEnglish
      21·
      1 year ago

      Here’s quite a good overview. The short answer, I think, is that the signature is embedded into the JSON object representing the post / upvote / whatever, which then gets passed around server-to-server (and each server checks the signature against the original server’s TLS certificate). It’s not something you can get your head around just by asking a couple simple questions but it’s a pretty fascinating design when you get your head around it.