124

Most of us are Reddit refugees, and probably clicking more random links than we ever did before on websites we've never seen before. This whole experience feels like the old internet, but also throws up insane red flags with a modern internet perspective. What are the cybersecurity weaknesses we should all be looking for, and what are the best practices?

Here's my reason for posting this. As I search for new communities across instances to follow, I sometimes end up clicking a link and I'm no longer logged in. In the corner, that could be a Sign In link or it could be phishing. It's likely due to me not understanding how to properly navigate this system, but there's nothing stopping someone from setting up a sight like this as far as I know.

Thoughts?

top 45 comments
sorted by: hot top controversial new old
[-] KoboldCoterie@pawb.social 49 points 1 year ago

If you're navigating to another community on their instance, you won't be logged in. When you're seeing that, check the URL. If you're on lemmy.ml, you're still on your instance; if not, you've navigated to that instance.

There's multiple ways to structure links, some of which will take you to that community via your instance, some not.

Could it be phishing? Sure. But far more likely, you're just on another instance where you don't have an account (or at least an active login).

[-] Artemis@sh.itjust.works 12 points 1 year ago

Do you mind giving a short explainer of proper link formatting? I was struggling with this just a little bit ago

[-] KoboldCoterie@pawb.social 21 points 1 year ago* (last edited 1 year ago)

If you link directly to the full URL (including the instance), you'll take anyone who clicks it to that instance, and they won't be logged in. This is usually not what you want. Example: https://pawb.social/c/tech - This link will take you to my instance.

If you remove the instance URL, and just leave /c/communityname@instance - for example, /c/tech@pawb.social - the link will still take you to the community, but you'll still be on your instance. This is usually desirable.

Basically, instance -> community = link to that instance. Community -> instance = link to the community in whatever instance the user clicks it in.

You can also use ! instead of /c/ - I think this might work better for Kbin users (since they use /m/ instead of /c/ - can't verify this). In that case, it'd be: !tech@pawb.social

[-] Azzu@lemm.ee 21 points 1 year ago* (last edited 1 year ago)

I won't get tired of posting this everywhere it applies :D

I made this userscript, which rewrites all links everywhere (not only on Lemmy) to always point to your home instance. So the link in your comment actually looks like this to me:

i.e. even though you tried to link to your instance, my script rewrote your link back to my instance so it's working fine :D

But of course I can still hover over the icon to see how your link originally looked:

[-] BlueEther@no.lastname.nz 7 points 1 year ago

I Have to say that @Azzu@lemm.ee 's script is fantastic. I've been using for a few days now (I have another bug report for you@Azzu@lemm.ee )

[-] Staden_@pawb.social 5 points 1 year ago

Would be nice if third party apps implemented that functionality.

Or if there were bots that automatically identify those external links and reply to them with a link to the community/post in other popular instances.

[-] KoboldCoterie@pawb.social 1 points 1 year ago

That is very useful! Installed!

[-] Scientician@waveform.social 1 points 1 year ago

This is great, and would make for a super useful Firefox extension.

[-] Azzu@lemm.ee 2 points 1 year ago

Why would or should this be a Firefox extension when it already runs perfectly well on Firefox?

[-] Scientician@waveform.social 1 points 1 year ago

I guess I've never run scripts in Firefox.

[-] Azzu@lemm.ee 3 points 1 year ago* (last edited 1 year ago)

As soon as you've installed your preferred user script extension like Violentmonkey it's as simple as installing addons, you just click the "install" link on the script's page.

There are lots of different useful ones.

[-] h34d@feddit.de 1 points 1 year ago

I'm curious, is there an advantage of running a script over an add-on? Like is it faster or takes less resources? Or did you just happen to code it like that? Not complaining though, it's been working great for me so far.

[-] Azzu@lemm.ee 3 points 1 year ago

The advantage is I don't have to learn how to build an addon. It just runs code which I already can write. There's also the advantage that any browser can run JavaScript. Idk if any browser can run Firefox (or whatever) extensions.

[-] Artemis@sh.itjust.works 6 points 1 year ago* (last edited 1 year ago)

Thanks for the explainer! Doing some testing cause your example didn’t hyperlink on Memmy

c/tech@pawb.social /c/tech@pawb.social !c/tech@pawb.social !tech@pawb.social test text /c/tech@pawb.social /c/Lemmy@lemmy.ml

Weird. Not sure when your example didn’t link, because it did in my comment ¯\(ツ)

Edit: I'm back on browser. Everything that hyperlinked works properly. It's a Memmy issue

[-] Artemis@sh.itjust.works 4 points 1 year ago* (last edited 1 year ago)

Okay I learned a few things, though they may be specific to Memmy.

  1. The /c/community@instance works, and opens the links in the app, rather than browser
  2. If you have text in front of your link, it doesn’t work. Might be a Memmy issue.
  3. I need to test, but ~~I think #2 is responsible for the Null errors I’ve been getting when text is hyperlinked.~~

Text testing #3 - confirmed, this returns the Null error.

Now without prior text

test - this also didn’t work

test! - using a link beginning with ! Also didn’t work. Hmm.

[-] Bruce@lemmy.ml 2 points 1 year ago* (last edited 1 year ago)

I love the "show source" button which gives access to how the tests are made.

[-] SurpriseWaterfall@sopuli.xyz 1 points 1 year ago

Is there a similar way to handle linking to specific posts? I think all post urls are unique to that specific instance and I haven't seen any way to do a translation between instances.

[-] KoboldCoterie@pawb.social 1 points 1 year ago

I don't believe there is, because as you note, post IDs are instance specific. I'd be very interested in knowing how to do it, too, though, if there is in fact a solution.

[-] DeadlineX@lemm.ee 1 points 1 year ago

So just out of curiosity, since you’re the first person I’ve seen actually point out optimal linking with the ! Symbol, I have to ask how you pronounce it. For me, ! will always be “bang”, so I’m just curious what the pronunciation is.

[-] KoboldCoterie@pawb.social 3 points 1 year ago

I use "Bang", too, if I'm trying to verbally say it, though... that very rarely comes up. If I'm reading it, I don't internally "pronounce" the symbol at all. If it was verbal, though, the above link would be bang tech at pawb dot social.

[-] DeadlineX@lemm.ee 1 points 1 year ago

Thanks! That’s interesting. On Reddit I would internally ignore r/{sub} and I’d pronounce it in my head and out loud as sub. I think I’m just conditioned to be cognizant of !

I suspect that the c/ notation will become more popular if we see a massive influx of Reddit users, and I’ve heard one of the instances (I think lemmy.world) doesn’t like the bang notation so that may also cause issues. Although if kbin uses m/ instead of c/ maybe will stay more popular. I’ve seen both but !community@instance seems most frequent.

[-] Inductor@feddit.de 11 points 1 year ago* (last edited 1 year ago)

As far as I know, there are a few different link formats, and how well they work depends on which frontend you're using:

EDIT: At least using the web app, the first link is relative, and the others are not. So I think the correct format would be /c/<community>@<instance> for communities outside your instance.

[-] Artemis@sh.itjust.works 4 points 1 year ago

Those opened in the in app browser on Memmy. Testing here

/c/amateur_radio@lemmy.radio

[-] soupspoon@lemmy.world 1 points 1 year ago

The formatting !community@instance should let a user click through but still be logged in on their own instance, so that you can still read posts, vote and comment. If that doesn't work, you can try entering that same thing into your instance search bar, or in your browser enter https://your instance/c/community@theirinstance

It should all get a lot smoother as this platform is developed!

I haven't tried linking to a specific post on another instance, so I'm not sure of that formatting hmm

[-] Scientician@waveform.social 3 points 1 year ago

Like I said... Most likely legit, but these issues will arise. This whole Fediverse thing feels like the first big thing to happen for whatever comes next. Which is great, but it would be foolish to think scammers, with modern tools wont try to exploit it. We all have some internet hygiene to figure out.

[-] kaseijin@lemmy.world 41 points 1 year ago

Third party apps present a username and password field to log into a Lemmy instance. They can easily just steal your credentials. There are standard auth flows to solve this problem. The fact that Lemmy devs have willfully ignored this issue for years, and that they aren't warning users not to trust third party apps, lead me to believe they don't really care about security, which is the biggest red flag. There's finally an open github issue that seems to be acknowledged, but it'll be some time before this feature (if ever) ever gets implemented.

-Posted from a third-party app; yea, i gave them my password blindly.

[-] Ech@lemmy.world 10 points 1 year ago

There’s finally an open github issue that seems to be acknowledged, but it’ll be some time before this feature (if ever) ever gets implemented.

Fwiw, the devs seem quite open to (even directly requesting) people coding features they want and having them added into the main code in future versions. So if anyone is able and willing to make a working version of that for Lemmy, it could be added quite soon, really.

[-] czarrie@lemmy.world 1 points 1 year ago

I suspect what will happen with the Federated universe as a whole is what happened to Linux - companies will start using the products, contribute to them, and it becomes this weird corporate/open source hybrid as the main devs, however good, simply won't have the same level of resources as say FAANG to throw at these problems

[-] 98codes@lemm.ee 8 points 1 year ago

All the more reason to not reuse passwords, use a password manager, and turn on 2FA.

[-] Ziggurat@sh.itjust.works 14 points 1 year ago

A big one I see that if you join any instance it's someone else computer. Not different from Meta/Reddit. But the probability that among all the instance there is one imposter who wants to steal your credential is non zero.
As usual don't use the same password everywhere

[-] czarrie@lemmy.world 1 points 1 year ago

Yeah, having big companies run everything was terrible but at least you had like, a team of peeps whose job it was to make sure that the whole company didn't implode due to a breach (because they would at a minimum be out of work or worse never get a job in the field).

[-] stevedidWHAT@lemmy.world 1 points 1 year ago

I don’t understand what the point of making more than one account really is if we can view and post to or from any community or instance

[-] anonymoose@lemmy.ca 3 points 1 year ago

It's not really required, but does have its uses. For instance, if your instance is down or heavy load, you could log in from another instance. Also, if your home instance has defederated other instances you are interested in, you can log into an alt to view content from it, etc.

[-] Scientician@waveform.social 2 points 1 year ago

If you want to see Beehaw you need a separate account as far as I know since they defederated.

[-] Cethin@lemmy.zip -2 points 1 year ago

They don't mean don't use the same password for other accounts on Lemmy, they mean don't use the same password for other accounts period. Use a password manager or something, and generate a new password for each account. If you use the same one across different services, if one gets hacked they have access to all of them that used the same credentials.

[-] gvasco@discuss.tchncs.de 11 points 1 year ago* (last edited 1 year ago)
  • Use a mail forwarding service to generate disposable e-mails used to sign up, if you accidentally give it to someone else it doesn't expose any other accounts and can be easily replaced by a new one.
  • Use a password manager to ensure a strong and unique password.
  • Use a JavaScript blocker so you only allow the required JavaScript to make the website work and prevent automatic downloads.

I've been doing these in general recently and it's good privacy a security practice. Also slowly replacing my main e-mail address in different service accounts with disposable forwarding e-mail addresses.

Edit: Other than that read a bit more about Lemmy and fediverse workings, verify what instance you're viewing and navigate to the desired community via your instance as others have mentioned.

[-] henfredemars@infosec.pub 7 points 1 year ago* (last edited 1 year ago)

I would like to underline and insist on using unique passwords. Many users like myself are joining small instances to get better performance and reduce the strain on the main servers, but anyone can spin up an instance and then poof, your password is gone if they can get you to sign up!

This was always the case for normal websites on the internet however. I strongly recommend everyone use a good password manager to prevent one breach from cascading into a breach of all your accounts. It's good OPSEC.

Also, check which instance you're signing into before you give them your password. Accidentally trying to log into the wrong instance with an account for a different instance is the same as handing them your password. A community could easily be hosted on some tiny server somewhere by a guy named Joe and do you trust him with your password?

[-] deadsuperhero@lemmy.ml 10 points 1 year ago

Honestly, I think the #1 problem to be concerned about right now is that there a lot of people self-hosting for the very first time, that maybe don't really have much experience with hosting or moderation. It's tough! There can be a lot of drama, random software failures, lost data, and disappointments that can happen. An instance can go under at random, at any time.

It sounds bad. In practice, the day-to-day can be fairly smooth sailing. A lot of people just kind of need the experience, need to make sure they're not the one person moderating thousands of people on a serer. Making sure that moderation is a community effort, that the server has backups, and that there are channels for donations to support the instance - those things go a long way towards long-term stability.

[-] em2@lemmy.ml 5 points 1 year ago

You're likely no longer logged in because you visited another instance. For example, if I'm browsing from lemmy.ml but click on a link to !baking@kbin.social, now I'm kbin and not Lemmy.

What you can do from your instance is go to your browser, paste the magazine or community url into the search bar, then subscribe from their sidebar.

[-] TheHalc@sopuli.xyz 3 points 1 year ago

I understand why this happens, but I consider this is a usability issue that the Lemmy devs should try to resolve. It's not an easy problem to solve, though.

Federation is great, but it does tend to make certain interactions more complex. If Lemmy wants to retain normal users and not just highly motivated and/or technically adept people, the UX issues federation introduces need some serious work.

[-] ShittyKopper@lemmy.w.on-t.work 4 points 1 year ago* (last edited 1 year ago)

There seems to be a fair bit of admins who just run the Lemmy Ansible installer expecting to magically have an instance, and having no idea what they're getting themselves into.

I wonder how many small Lemmy instances exist right now that have SSH password auth (or god forbid root login of any kind) enabled.

[-] Scientician@waveform.social 1 points 1 year ago

This is my fear. A huge wave of newbs (myself included) all out here trying to figure it out. I feels like a hacker playground.

Does DEFCON have a fediverse hacking competition this year?

[-] perviouslyiner@lemm.ee 1 points 1 year ago

The email requirement seems like a cybersecurity problem - usernames aren't really associated with real people so this just leads to a lot of accounts having mailinator as the password reset email.

load more comments
view more: next ›
this post was submitted on 04 Jul 2023
124 points (97.0% liked)

Asklemmy

43811 readers
868 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS