:debian:πšœπšŽπš•πšŽπšŠ:trisquel:  

@Gargron
Would it be possible for Mastodon to implement DANE-verification against other instances?
It would a neat security feature

#maston #mastodev #mastoadmin

1+
kravietz πŸ¦‡
Follow

@selea @Gargron

I once proposed it for Matrix Synapse but it was met with... not much excitement to put that lightly :)

Β· Β· 1 Β· 0 Β· 0
Eugen  

@kravietz @selea Can you elaborate on what you want from that feature and how you imagine it working?

1+
kravietz πŸ¦‡  

@Gargron @selea

On each attempt to connect to a federated instance:

1) check presence of TLSA record in DNS for _xxx._tcp.host.example.com where _xxx is the target port number used by Mastodon/Matrix
2) get the hash from the TLSA record
3) when TLS connection is established, verify the TLSA hash against the certificate actually received

Details en.wikipedia.org/wiki/DNS-base

0
kravietz πŸ¦‡  

@Gargron @selea

Oh and 0) check if DNS response is DNSSEC-authenticated

For Synapse I can actually come up with a PR as it's Python, not sure about Mastodon.

1
:debian:πšœπšŽπš•πšŽπšŠ:trisquel:  

@kravietz

For me, it sounds really strange that you got that reaction. It sounds like the next logical step to take for synapse!

Also, I would love if the @nextcloud client would support it aswell!

0
:debian:πšœπšŽπš•πšŽπšŠ:trisquel:  

@kravietz did explain it very well, so I do feel that I do not need to explain it further :)

@Gargron

0
Sign in to participate in the conversation
Mastodon πŸ” privacytools.io

Fast, secure and up-to-date instance. PrivacyTools provides knowledge and tools to protect your privacy against global mass surveillance.

Website: privacytools.io
Matrix Chat: chat.privacytools.io
Support us on OpenCollective, many contributions are tax deductible!

Resources

Developers

What is Mastodon?

social.privacytools.io

More…