Drew DeVault
drewdevault@fosstodon.org
Fucking Mastodon auto-DDoS-on-post, disgraceful
3
1
0
K. Ryabitsev
monsieuricon
0
5
9
@drewdevault The mastodon roadmap mentions „Rework link previews fetching and distribution“ so maybe this will be improved someday
1
0
0
Michał "rysiek" Woźniak · 🇺🇦
rysiek@mstdn.social@joshix yeah, I don't see a reason why the preview could not be fetched by the post's originating instance and just attached to the post.
1
0
0
Jonathan Corbet
corbet
0
0
3
smolwaffle
smolwaffle@union.place@rysiek
One reason is that it's vulnerable to forging. I could, say, post a link to a NYTimes article with a fake headline and text in the preview.
You could argue that people shouldn't trust those previews, but we've already created an expectation that they are accurate. That ship had sailed.
The line of trust could perhaps be created with DNS, which is one of the few distributed systems we have available for that sort of thing. Like an SPF record for link previews.
@joshix @drewdevault
3
0
0
Michał "rysiek" Woźniak · 🇺🇦
rysiek@mstdn.social@smolwaffle why would people trust that preview in my post any more than my post itself?
0
0
0
@rysiek
A more powerful solution would be for the originating site to publish a key along with signed link previews. The signed preview could then be attached to a post. The key again needs to be published via DNS to avoid slamming the originating site.
@joshix @drewdevault
1
0
0
@smolwaffle @rysiek @joshix @drewdevault also wouldn’t that require work from, like, literally every websites?
1
0
0
Alex Conner
alex@codatory.com@smolwaffle @rysiek @joshix @drewdevault my recollection when I dug into it was that ActivityPub didn't have a standard way to include the link previews... They do at least now stagger the fetch, but it's good motivation to have caching if a toot can overload the site.
1
0
0
@alex yes, people should stop running heavy websites when a static HTML site is enough, and yes microcaching is something more website admins need to understand.
But that doesn't make the fedi hug of death any less of a real problem, and any less a problem that should be solved on fedi side. Mastodon et al should just be good neighbors on the Interwebz.
0
0
1
@xarvos
All consumers of previews and websites which want to save on preview-loading traffic. So not every website.
It's definitely ambitious and unlikely to be implementable. I don't think the companies with the most control over the web have any motivation to push it. The opposite, since they want people to depend on their centralized services for things like that.
@joshix @drewdevault @rysiek
1
0
0
@smolwaffle @joshix @drewdevault @rysiek people this problem hits the hardest already have little resource
1
0
0
Drew DeVault
drewdevault@fosstodon.org@xarvos @joshix @rysiek @smolwaffle some shit is just computationally intensive and not designed to be hit at 1000 req/sec
And why are we just assuming that previews are so fucking important that it's fine to DDoS people because we can't come up with an efficient design
0
0
0