Safety consideration: Collections with exposed items can facilitate spam

[trwnh]

In discussing #518 a potential security issue was identified, where exposing the items in a collection opens the possibility for anyone to deliver to those items.

The relevant text on the outbox delivery algorithm:

If a recipient is a Collection or OrderedCollection, then the server MUST dereference the collection (with the user's credentials) and discover inboxes for each item in the collection. Servers MUST limit the number of layers of indirections through collections which will be performed, which MAY be one.

The scenario looks something like this:

• Alice publishes a Collection containing some actors, and the items are exposed when dereferenced.
• Bob addresses Alice's Collection, and POSTs that activity to Bob's outbox.
• Bob's outbox naively and exactly follows the outbox delivery algorithm described in ActivityPub.
  • Bob's outbox dereferences Alice's Collection using Bob's credentials.
  • The dereferenced Collection has items with inboxes, so Bob's outbox considers those inboxes for delivery and dutifully POSTs the resulting activity to those inboxes.

Crucially, Alice never considered that, when maintaining and publishing the Collection, that anyone can address that Collection, and provided that they can see its items, anyone can likewise deliver to those items without Alice's involvement.

From Alice's perspective, Alice now has to reconsider making Alice's followers publicly known. If Alice's followers collection is publicly known, then anyone can address Alice's followers and spam them. However, if Alice's followers collection does not expose its items, then delivery to that collection must happen through someone who knows the items (i.e. usually Alice at least).

More generally, anyone publishing a Collection resource SHOULD consider the ramifications and consequences that naive outbox delivery is an avenue for spam. Likely, the items of a Collection SHOULD be private by default, if any sort of control over delivery is to be expected.

The proposed advice would allow delivering agents to be more mindful of potential spam by effectively only allowing delivery to Collections owned by or accessible by the current actor. In other words, if a Collection is exposed but not owned by the current actor, direct delivery might be disallowed, and inbox forwarding should be utilized to reach the private items.

This is effectively a question of separating concerns. If Alice publishes a collection that, when fetched with Bob's credentials, provides a dynamic and partial response (i.e. Bob can only see certain items in the Collection), then Bob might attempt delivery to those items, but only Alice can attempt delivery to the full items. Therefore, it is better and simpler to always expect Alice to attempt delivery, rather than to have Bob attempt what might be a partial delivery (and thus potentially leading to duplicate deliveries).

tldr

Safety consideration

More generally, anyone publishing a Collection resource SHOULD consider the ramifications and consequences that naive outbox delivery is an avenue for spam. Likely, the items of a Collection SHOULD be private by default, if any sort of control over delivery is to be expected.

it is better and simpler to always expect Alice to attempt delivery, rather than to have Bob attempt what might be a partial delivery (and thus potentially leading to duplicate deliveries).

[tesaguri]

If the collection is updated as the result of side effects, like followers, I believe the collection should at least be filtered on the addressing of the activities that caused the side effects, besides the owning actor's discretion. That is, if the Follow activity addresses the Public collection, then the receiving server may publicly expose the sending actor via the followers collection unless the corresponding Accept activity is private, but the collection should not expose the actor if the Follow activity doesn't address the Public collection.

Currently, even though the spec says that the followers collection MAY be filtered on privileges of an authenticated user or as appropriate when no authentication is given, it doesn't have any guidance on the exact condition of the filtering, and today's server implementations typically either fully expose the collection or hide every item, regardless of the intention of each of the followers.

[evanp]

So, I wonder if the issue is more about who has access to the collection. We typically* consider that addressees for an object have at least read access to that object. So, if a Note is addressed to https://social.example/user/evanp/list/bestfriends, the members of the Best Friends list can access that object. Actors that are not members of that group, or any other addressed property, don't have access. This reflects how addressing works for email, postal mail, etc.

So, if Alice does not want Bob to view the members of the collection she is sharing, she could leave as:Public out of the addressee properties (to, cc, bto, bcc, audience) and instead have a more restricted set of addressees, like "followers only" or even shared with particular actors.

I don't think this requires changing how delivery works; just how we publish collections.

• Not always, but sometimes!