13

I hear all this hype about Diaspora being decentralized, but the only information I can find on their official website and the Wikipedia article is that several people can run Diaspora servers. The main advantages of such decentralization are usually service availability and privacy.

As to the latter asset, the risk I'm worried about is malignant pods, run by data thieves or personal enemies. Is my data encrypted such that only my friends' pods can read it, or is it revealed to other pods as well? Is my data signed, or is there a risk of a malignant pod impersonating me?

When it comes to service availability: in which way does Diaspora ensure service availability? What would happen if a part of the network -- e.g. the diasp.org pod -- went offline?

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
  • I believe this question is on-topic since it concerns the security of the Diaspora protocol. –  May 14 '11 at 11:58
  • beside this "How are authentication and authorization between pods and users done?" the rest is off-topic. – Phoenician-Eagle May 14 '11 at 13:01
  • Can you provide a link to this Diaspora stuff, since its not exactly well-known? *Is* it a security protocol, or else how is the rest of the question security-related (as per @Phoenician-Eagle's comment)? – AviD May 14 '11 at 19:52
  • It would help to describe (as the faq notes) what sort of "security" you would like to see addressed. What assets, what threats, what vulnerabilities. Security against privacy leaks is quite distinct from security against DoS or impersonation or phishing, etc – nealmcb May 14 '11 at 19:56
  • @AviD: Sorry, I've edited in two links. Diaspora is such software that must contain a security protocol, and I'm wondering about its rough shape. –  May 14 '11 at 20:14
  • @nealmcb: I've structured the question to highlight the assets, risks and perpetrators. I think what I'm asking is clearer now. –  May 14 '11 at 20:17
  • 1
    @Tim, out of curiosity, have you tried posting to the guys building the Diaspora project your questions? I honestly fear that this Diaspora project is still not known enough to be answered by other than the founders! – Phoenician-Eagle May 14 '11 at 20:24
  • @Phoenician: I had not, but I did now. Thanks. –  May 14 '11 at 20:33

3 Answers3

9

This page should clear things up: https://github.com/diaspora/diaspora/wiki/Prettygooddiaspora

Short summary of the page:

Diaspora is still a work in progress and they are not really sure how to proceed.

What they would like to have is PGP-encrypted messages everywhere, but run into implementation problems and put that aside for now.

What they now use is SSL protected inter-pod communications, which means that the platform is protected against outsiders but if a pod is compromised there are no more protections.

Also as stated elsewhere right now Diaspora is push-only and no mutual authentication takes place. What they would like to do is implement mutual server to server authentication so that they can also use pull methods.

john
  • 10,968
  • 1
  • 36
  • 43
1

I don't think answers cover the most important thing about diaspora. If you read up on their site, they ask you to choose any server in any country where they have good data policy, which is already a good enough reason for me to join one of the pods NOT hosted in US. Now here's the best part, if you don't trust any pod, you can host a pod yourself. Startup a digital ocean/amazon container, (better yet, I think they have docker image, so that's easy, if not go PR yourself), now you've your data, no one else. If you're into privacy, you shouldn't really trust a server, none at all, only the server you own and have access to, you CAN trust, even though, I'd setup a lot of measures to make sure it's not penetrated.

Now I already like diaspora because it's decentralized, so no one is going to control information for themselves. And if I wanted to, I can setup a pod myself, it's not that hard.

Nishchal Gautam
  • 111
  • 3
0

The Diaspora pods require ImageMagick to be installed on the host, in order to process images uploaded by users. This itself should reveal how insecure Diaspora is. What's to stop me from running a pod and accessing all the images that come through my server?

Aaron
  • 17
  • 1
  • of course, if you own a server, there's nothing anyone can do to stop you, obviously, unless user encrypts things on his browser. – Nishchal Gautam Dec 22 '17 at 00:38