Mastodon: What you need to know for your security and privacy

Mastodon is hot right now. After some years of only being used by geeks (yes, I’ve had an account for a while now) it’s at the tipping point of becoming mainstream… all because of two words:

Elon Musk.

Elon Musk’s purchase of Twitter, his erratic pronouncements, and the layoff of many of the site’s staff, has sent shockwaves through the Twitter community who are concerned about how the service might change.

So what’s the alternative. Many consider Mastodon to be a good new home. It’s free and ad-free, it doesn’t mine your data, it’s decentralised (which means that – unlike Twitter – there’s not one entity or crazy-ape-bonkers billionaire in charge of your content).

It’s perfectly possible – if you’re nerdy enough and fancy the job of maintaining a web server – to create your own Mastodon ‘instance’ (the name Mastodon users commonly use for a server) and be able to talk to anyone else on Mastodon.

Compare this level of control to your traditional social networks like Facebook or Twitter which control what you get to see in your timeline, mine for your personal data, and bombard you with targeted ads.

Mastodon isn’t like that.

If you’re interested in joining Mastodon, you can learn more about it here, or watch a video explainer.

You may even want to eventually follow me on Mastodon. I’m @[email protected].

But what I want to do in this article is mention some of the security and privacy considerations you should make if you’re going to start using Mastodon.

Passwords on Mastodon

Choose a strong, unique password for your Mastodon account. That means ensuring that you’re not using the same password elsewhere on the internet, and one that can’t be guessed by a friend, family remember, co-worker, or hacker with access to a database of 100 million of the most commonly-used passwords.

Ideally you should be using a password manager like Bitwarden, 1Password or LastPass to securely generate and store your passwords for you. I couldn’t tell you what my Mastodon password is, because I don’t know it. My password manager remembers it for me on my behalf.

Two-factor authentication on Mastodon

Having a strong password is the first step, but I also recommend enabling two-factor authentication (2FA).

Once you have enabled 2FA, you won’t just be asked to enter your Mastodon username and password – you’ll also be asked for a two-factor code. This is a time-based one-time-password that can be generated by an authentication app on your phone.

The idea is that a hacker might have stolen or guessed your password, but they won’t know the special code is.

Sign up to our newsletter
Security news, advice, and tips.

Popular authentication apps that can generate codes for your account include Google Authenticator, Duo, and Authy. It’s possible your password manager (you have one of those, right?) also generates 2FA tokens.

You enable 2FA protection on your Mastodon account by logging into the account you have setup on your chosen Mastodon server’s website, and choosing Edit Profile > Account > Two-factor Auth.

Just follow the instructions there. You can also enable a hardware authentication key for additional physical security if you have one.

Direct Messages on Mastodon

This is an important one, as direct messages work differently on Mastodon than how they work on Twitter.

Direct Messages on Mastodons are not encrypted. They’re stored in clear text on the Mastodon server. That means that they could be read by whoever is administering your Mastodon server. Furthermore, direct messages with users on other servers will be delivered to different servers and copies may be stored there.

In fairness, Mastodon does display a warning about this – but I wonder how many people will take that much notice.

In short, if you want to say something private to somebody – don’t use Mastodon. Use a more secure messaging system like Signal instead.

But there’s more danger potentially associated with direct messages.

Imagine you are having a direct message conversation with someone on Mastodon about a sensitive subject.

Maybe George and Paul are bantering via direct message on Mastodon, and one of them says “I’ll tell you who’s a twit. That bloody @Ringo”

Well, because @Ringo has been mentioned in the chat, he now sees a copy of the message too. Ouch, that’s awkward.

This would be particularly dangerous if you were communicating with another Mastodon user to report abusive behaviour. Suddenly your abuser knows you are complaining about them.

Email doesn’t work like that. Twitter direct messages don’t work like that.

(Sorry Ringo for using your name in this example, Peace and Love man!)

Verified users on Mastodon

As we all know one of the pickles Elon Musk has got himself embroiled in on Twitter is “verified accounts.”

Verified accounts on Twitter (the ones with a so-called “blue tick” – it’s actually a white tick on a blue background) used to be handed out for those free to public figures, celebrities, journalists and the like who had verified their identity with Twitter.

They also used to be free, but Musk appears to be hell-bent on doling out verified ticks to anyone who pays a monthly subscription for the privilege.

The rights-and-wrongs of that are outside the scope of this article, but what’s important for Mastodon users to know is that it doesn’t have a “blue tick” system.

Yes, Mastodon users can add an emoji of a blue tick to the end of their username if they wish (or an elephant, or an eggplant… the list is pretty much endless) but it doesn’t mean that they are verified.

But what Mastodon does do is let you self-verify yourself.

Here’s how Mastodon describes the process:

Mastodon can cross-reference the links you put on your profile to prove that you are the real owner of those links. In case one of those links is your personal homepage that is known and trusted, it can serve as the next-best-thing to identity verification.

If you put a link in your profile metadata, Mastodon checks if the linked page links back to your Mastodon profile. If so, you get a verification checkmark next to that link, since you are confirmed as the owner.

I have put a link on this website (grahamcluley.com) to my Mastodon account. To find out what link I had to put in, I logged into the account I have setup on my chosen Mastodon server’s website, and navigated to Edit Profile > Appearance.

In my case the link I have put on grahamcluley.com is: <a rel="me" href="https://mastodon.green/@gcluley">Mastodon</a>

And I have also put a link on my Mastodon account’s profile to grahamcluley.com. Mastodon checks that the two are pointing to each other, and displays a green tick against the appropriate link.

Anyone who wants to confirm that the Mastodon account [email protected] belongs to the same Graham Cluley who runs grahamcluley.com can see that tick, and know that I’m the real deal.

And now I’ll give you a real-life example of why this matters…

Be wary of following famous/celebrity accounts on Mastodon

Like I said at the beginning, Mastodon is hot right now. Most users are brand new to the site, and don’t know the dangers yet. Furthermore, many famous people and public figures may not yet have established a presence on Mastodon.

So, if you see a Mastodon account for someone famous, always check to see if their profile contains a verified link to their official website.

It’s child’s play for someone to create a fake account in the name of a famous person, and then use the account to spread disinformation, cryptocurrency scams, or malicious links. It would be much much more difficult for a scammer to add a verified link from the account to the celebrity’s official website.

More to be said

There’s probably a lot more to be said about how to behave safely and securely on Mastodon, but much of it applies to *every* website you post to on the internet. Be wary of links that are shared, don’t trust everything you read, never share your password, be careful not to be phished, etc etc.

As Mastodon becomes more popular it is almost inevitable that scammers, cybercriminals and fraudsters will attempt to exploit unsuspecting users.

Take care of yourself and any friends who are venturing onto Mastodon, and if you have any questions either follow me on Mastodon or leave them below.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.


Source link