this post was submitted on 18 Nov 2025
332 points (98.0% liked)

Fediverse memes

2242 readers
81 users here now

Memes about the Fediverse.

Rules

General
  1. Be respectful
  2. Post on topic
  3. No bigotry or hate speech
  4. Memes should not be personal attacks towards other users
Specific
  1. We are not YPTB. If you have a problem with the way an instance or community is run, then take it up over at !yepowertrippinbastards@lemmy.dbzer0.com.

Elsewhere in the Fediverse

Other relevant communities:

founded 1 year ago
MODERATORS
BoozeOrWater@feddit.uk
flamingos@feddit.uk
Emperor@feddit.uk
wingsfortheirsmiles@feddit.uk
sga@feddit.uk
Mex@feddit.uk
sga@lemmings.world
sga@piefed.social
332
This should have end up differently (media.piefed.social)
submitted 2 days ago by Kierunkowy74@piefed.social to c/fedimemes@feddit.uk
37 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] Dave@lemmy.nz 2 points 1 day ago (3 children)

Regarding the media hosting, again it seems like something that could rely on a method of identifying the user request directly with their user account before responding to the request.

Yeah, so far it works to just check for a JWT in the cookie (regardless of what it is) to allow logged in users to bypass the rules. This works on Lemmy because the bots aren't specifically targetting Lemmy so they don't try to fake this (although if there were, just make an instance and our instances will send you all the data lol).

Alternately, and more securely, it could be a cryptographic handshake where the user’s home instance and the instance hosting the post generate a public key using their two private keys for the user, and the user provides the public key when making pull requests from the federated instance.

This is already basically how ActivityPub works for communication between instances. But the activities are one thing, it's the page loads that are the killer because of the database queries needed to compile a unique, sorted home page of subscriptions. You could block logged out users but that impacts many lurkers.

For media, that's difficult as media is often being loaded from a remote instance that doesn't know who you are, along with the problem that the media provider is not technically part of Lemmy (it's a separate service called pict-rs) so doesn't know if you're logged in. I'm not sure how that worked on PieFed or Mbin, but regardless you might not be logged in at all, and you should still be allowed to browse content.

Lemmy has a proxy option where the instance can fetch content from the other servers to provide to the user, which does get around this issue for logged out users. But the proxy caches the media, and when this happens you are now the host of whatever media is in any post that made it's way to your instance, along with all the legal risks that involves.

(edit: also I am in favor of finding methodologies that work whether CloudFlare is used by the instance or not, obviously CloudFlare has advantages but as we have seen also is a vulnerability of the network.)

All of the things being discussed around mitigations in Cloudflare are also possible to do without Cloudflare, but it just means setting it all up yourself. I'll just wait for someone smarter than me to build a tool I can host myself that does all this automatically, then I'll consider it πŸ˜…

[–] Cooper8@feddit.online 2 points 22 hours ago (2 children)

"you could block logged out users but that would impact many lurkers"

"regardless you might not be logged in at all, you should still be allowed to browse content"

Fundamentally, what I'm suggesting is a fork in the road. Either an instance admin can set up to eliminate scrapers by making the instance private to only registered users,

or they can maintain their instance as public and deal with more arcane methods to attempt to eliminate scraping.

The issue is that if the infrastructure isn't in place for the instance operator to decide to make their service private, then everyone is opted in to the Scrapers vs Countermeasures war with no alternative.

Privacy and encryption just work, it seems like not building the infrastructure to enable the network to function with them in place is a mistake.

To me, and to many users, what we want is fast load times, quick federation, and reliable service, all things that benefit from reducing traffic load to only registered users.

[–] Dave@lemmy.nz 1 points 20 hours ago (1 children)

Fundamentally, what I’m suggesting is a fork in the road. Either an instance admin can set up to eliminate scrapers by making the instance private to only registered users,

Yeah, it would require perhaps more changes (since instances newly subscribed to a community need the ability to ad hoc fetch content), but even just not showing the website when someone isn't logged in would probably make a big difference. That might be pretty easy, just redirect requests to load the web app (except the login page) to the login page, and exclude the API. Apps would still get logged out access but I doubt that's much of a problem compared to the website, since the bots seem to just be indiscriminately scraping web pages.

[–] Cooper8@feddit.online 2 points 19 hours ago

Definitely true.