Trust as the Elephant in the Room

Abstract

Federated online social networks are an alternative to centralized and often profit-driven social networks. Instead of providing exactly one main platform, federated and decentralized approaches consist of multiple platforms, nodes or instances, leading to new challenges for guaranteeing confidentiality, integrity and availability. In addition, privacy is taken into close consideration due to the sensitive nature of processed personal data and the purpose of online social networks as well as the user behavior on social media. The recent popularity and broad use of the federated micro-blogging platform Mastodon issues the matter of security and privacy challenges for this type of architecture and the specific platform as well. Mastodon is part of a larger network called Fediverse with several platforms with different purposes. Communication and interoperability between Fediverse platforms is mostly achieved by ActivityPub protocol as standard for decentralized social networking, defined by W3C. We analyze Mastodon as the currently most prominent and largest example of a Fediverse platform. Therefore, we perform tests for typical types of software vulnerabilities as well as evaluate common security challenges built into its design. As a result, we identify trust as security principle as critical issue, leading to multiple weak points such as enabling attackers and malicious actors to spread misleading information as well as network availability impacts.We suggest possible solutions customized to our findings as well as general security recommendations when building a federated online social network such as the Fediverse.