AkkomaGang/akkoma
AkkomaGang
/
akkoma
12
63
Fork 83
Code Issues 173 Pull Requests 20 Packages Projects 2 Releases 12 Wiki Activity

Instance HTTP Signatures Statistics #304

New Issue
Closed
opened 2022-11-23 22:17:53 +00:00 by luna · 5 comments
luna commented 2022-11-23 22:17:53 +00:00
Contributor
Copy Link

I'll be taking the same text I made for Pleroma's proposal as I want to upstream this to both projects. Feel free to show feedback.

Problem Statement

I've been recently thinking about authorized_fetch_mode and how broken my federation became when I first enabled it years ago. Nowadays, with the recent network influx, I'm thinking of enabling it again, but I worry about how unreachable my instance would become if I enabled it, I don't have that sort of data to really decide if I should enable it or not.

Suggestion

Part 1: Create a new attribute under the Instance entity, called has_request_signatures. While reachable refers to the overall health of the network connection, has_request_signatures would be set on requests that contain valid HTTP Signatures (possibly on Pleroma.Web.Plugs.HTTPSignaturePlug?).

Part 2: An instance admin can then (with possibly a separate script or mix task) calculate the set of instances that they would not be able to see if authorized_fetch_mode is enabled, it would be a more informed decision than the current one of taking guesses.

I'll be taking the same text I made for [Pleroma's proposal](https://git.pleroma.social/pleroma/pleroma/-/issues/2987) as I want to upstream this to both projects. Feel free to show feedback. --- # Problem Statement I've been recently thinking about `authorized_fetch_mode` and how broken my federation became when I first enabled it years ago. Nowadays, with the recent network influx, I'm thinking of enabling it again, but I worry about **how** unreachable my instance would become if I enabled it, I don't have that sort of data to really decide if I should enable it or not. # Suggestion Part 1: Create a new attribute under the `Instance` entity, called `has_request_signatures`. While `reachable` refers to the overall health of the network connection, `has_request_signatures` would be set on requests that contain valid HTTP Signatures (possibly on `Pleroma.Web.Plugs.HTTPSignaturePlug`?). Part 2: An instance admin can then (with possibly a separate script or `mix` task) calculate the set of instances that they would not be able to see if `authorized_fetch_mode` is enabled, it would be a more informed decision than the current one of taking guesses.
👍 1
nocebo commented 2022-11-24 00:05:43 +00:00
Contributor
Copy Link

just as a note, http request signatures are required in practice (and thus universally supported) by all software for push federation

you would want to specifically record signed fetches, which only started being supported by fedi software since introduction in mastodon 3.0 (iirc)

just as a note, http request signatures are required in practice (and thus universally supported) by all software for push federation you would want to specifically record signed *fetches*, which only started being supported by fedi software since introduction in mastodon 3.0 (iirc)
luna commented 2022-11-24 02:06:49 +00:00
Author
Contributor
Copy Link

Indeed, that's why I suggested implementing the has_request_signatures recording on the HTTP Signature plug, as that's the one that also holds the enforcement of such through authorized_fetch_mode. I got the core part of this proposal finished, will be testing in production soon to find out some interesting numbers.

Indeed, that's why I suggested implementing the `has_request_signatures` recording on the HTTP Signature plug, as that's the one that also holds the enforcement of such through `authorized_fetch_mode`. I got [the core part of this proposal](https://git.pleroma.social/luna/pleroma/-/commit/05875345c28661e30228ac15954b2d892250a400) finished, will be testing in production soon to find out some interesting numbers.
👍 1
luna commented 2022-11-24 04:07:40 +00:00
Author
Contributor
Copy Link

Some hours after applying the patch to my instance and I can see some results: 165 instances that confirmed themselves as having signed fetches, while 1302 instances missing (could be either because they're unreachable, as my instance is quite old, or they haven't gotten around to fetching any of my posts yet). Even with those remarks, the numbers are interesting.

Some hours after applying the patch to my instance and I can see some results: 165 instances that *confirmed* themselves as having signed fetches, while 1302 instances missing (could be either because they're unreachable, as my instance is quite old, or they haven't gotten around to fetching any of my posts yet). Even with those remarks, the numbers are interesting.
screenie-2022-11-24-01_05_57.png
3.9 KiB
screenie-2022-11-24-01_05_57.png
floatingghost commented 2022-11-24 11:23:09 +00:00
Owner
Copy Link

my extremely hot take is that authorized fetch mode should be default - it's de facto for most instances anyhow

but in lieu of that, this is not a bad stopgap

the one thing that does concern me is that the patch as-is runs an SQL query on every request, which could be a spam vector - you might want to consider adding a cache for instances to prevent this, and also consider if we'd ever need to go "backwards", so to say

that is, would the state ever realistically go true -> false?

my extremely hot take is that authorized fetch mode should be default - it's de facto for most instances anyhow but in lieu of that, this is not a bad stopgap the one thing that does concern me is that the patch as-is runs an SQL query on every request, which could be a spam vector - you might want to consider adding a cache for instances to prevent this, and also consider if we'd ever need to go "backwards", so to say that is, would the state ever realistically go true -> false?
👍 1
luna commented 2022-11-24 16:38:27 +00:00
Author
Contributor
Copy Link

you might want to consider adding a cache for instances to prevent this

Agreed, will be adding to the patch.

that is, would the state ever realistically go true -> false?

Maybe if an instance has switched their actor keys, maybe? In theory that would mean it's a different instance (say, someone bought the domain after some years of an instance being dead), and so our statistics for that domain should be reset.

We wouldn't be able to detect if an instance has turned off their signed fetches after they've turned it on, as we wouldn't be able to assert their identity at that rate (and I don't think reverse DNS of the requester's IP is a good idea to infer identity).

> you might want to consider adding a cache for instances to prevent this Agreed, will be adding to the patch. > that is, would the state ever realistically go true -> false? Maybe if an instance has switched their actor keys, maybe? In theory that would mean it's a different instance (say, someone bought the domain after some years of an instance being dead), and so our statistics for that domain should be reset. We wouldn't be able to detect if an instance has turned off their signed fetches *after* they've turned it on, as we wouldn't be able to assert their identity at that rate (and I don't think reverse DNS of the requester's IP is a good idea to infer identity).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
develop
translations
who-wants-to-yeet-c2s-i-want-to-yeet-c2s
stable
bad-uploader-config-warning
docker
backoff-http
user-expiry-backfill
config-db-keys
ensure-scrubbers-loaded
otp26
code-shaking-does-not-go-brr
elixir1.15
circleci
backup-fixes
mod-task
policy
mrf-coolness
frontend-switcher-9000
contentMap
language-on-posts
rabbit
credo-on-pr
unify-http
normalise-markup-by-default
buildx
v3.12.2
v3.12.1
v3.12.0
v3.11.0
v3.10.4
v3.10.3
v3.10.2
v3.10.1
v3.10.0
v3.9.3
v3.9.2
v3.9.1
V3.9.0
2023.05
v3.8.0
v3.7.1
v3.7.0
v3.6.0
v3.5.0
v3.4.0
v3.3.1
v2.4.4
v3.3.0
v3.2.3
v3.2.2
v3.2.1
stable-202209
v3.2.0
v3.1.0
stable-2022.07
v3.0.0
v0.0.1
v2.5.2-6
v2.5.2-5
v2.5.2-4
v2.5.2-3
v2.5.2-2
v2.5.2-1
v2.5.2
v2.5.1
v2.5.0-8
v2.5.0-7
v2.5.0-6
v2.5.0-5
v2.5.0-4
v2.5.0-3
v2.5.0-2
v2.5.0-1
v2.5.0
v2.4.3
pre-rebase
v2.4.2
v2.4.1
v2.4.0
soapbox-v1.1.1
soapbox-v1.1.0
soapbox-v1.0.0
v2.3.0
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.7
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.1.9
v1.1.8
v1.1.7
v1.1.6
v1.1.5
v1.1.4
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.91
v1.0.90
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
v0.9.0
Labels
Clear labels   
approved, awaiting change

   
bug

Something is not working

  
configuration

This requires config changes

  
documentation

This is about human-readable docs

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
extremely low priority

   
feature request

Something new?

  
Fix it yourself

Support has been attempted

  
help wanted

Need some help

  
invalid

Something is wrong

  
mastodon_api

   
needs docs

   
needs tests

   
not a bug

   
planned

   
pleroma_api

   
privacy

   
question

More information is needed

  
static_fe

   
triage

   
wontfix

This won't be fixed

No Label
approved, awaiting change
bug
configuration
documentation
duplicate
enhancement
extremely low priority
feature request
Fix it yourself
help wanted
invalid
mastodon_api
needs docs
needs tests
not a bug
planned
pleroma_api
privacy
question
static_fe
triage
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#304
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?