this post was submitted on 30 Dec 2024
0 points (NaN% liked)

ActivityPub

0 readers
1 users here now

Focused discussion related to ActivityPub integration in NodeBB

founded 6 months ago
0
Question re: PeerTube's pubkey IDs (community.nodebb.org)
submitted 2 weeks ago by [email protected] to c/[email protected]
7 comments fedilink hide all child comments
 

As part of security checking for incoming events, we check that the keyId sent in the HTTP signature is actually owned by the actor that the activity came from. This is to guard against activity spoofing from separate users at the same server (e.g. user B@server pretends to send a Create(Note) from user A@server).

Our check is pretty simple, the keyId matched against the public key id as retrieved from the actor.

Except it fails for PeerTube because:

  • PeerTube's actors all have the #main-key suffix on their public key IDs (e.g. https://tilvids.com/accounts/thelinuxexperiment#main-key)
  • The HTTP Signature's keyId does not include the #main-key suffix (e.g. https://tilvids.com/accounts/thelinuxexperiment)

So the key ownership cross-check fails.

I could adjust the logic to strip out the URL's hash, but I was wondering if that was actually secure. I assume this is what is already done since PeerTube successfully federates with other softwares.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 2 weeks ago

@julian Yes, this is secure because web origin remains the same. I simply remove the fragment, it works for everything except GoToSocial.

Nevertheless, mismatch between signature keyId and publicKey.id is a bug.

cc @peertube