A poll: are followers-only posts on Mastodon public?
(infosec.exchange)
from jdp23@lemmy.blahaj.zone to fediverse@lemmy.ml on 22 Nov 2023 04:08
https://lemmy.blahaj.zone/post/5667677
from jdp23@lemmy.blahaj.zone to fediverse@lemmy.ml on 22 Nov 2023 04:08
https://lemmy.blahaj.zone/post/5667677
On Mastodon, Followers-only posts are only visible to your followers – and to admins of any instances your followers on. But if you haven’t turned on “approve followes”, anybody who’s logged in to an instance you haven’t blocked can follow you and get access to your followers-only posts.
In your view, are followers-only posts public?
The linked post is a Mastodon poll, and I’ll also put in replies here so that you can just upvote the ones you agree with!
threaded - newest
Yes, followers-only posts are public – upvote if you agree!
No, followers-only posts are not public – upvote if you agree!
It depends if I’ve turned on “approve followers” – upvote if you agree!
I mean it’s pretty much the same as Twitter? All your posts are public* and anyone can follow you unless you activate the follower approval option. It’s the first thing I did when I created my Mastodon account. (And the first thing I did on Twitter as well.)
Public but not indexed and not in your public profile.
Viewable only by someone with a link to the post or thread.
On my instance, the following control measures apply:
So I think I have reason to feel fairly strongly that follower only posts are not public, and even unlisted posts are reasonably restricted.
Just a heads up: there's a mastodon specific community at https://lemmy.ml/c/mastodon that would be more appropriate for this post.
Hi there! Looks like you linked to a Lemmy community using a URL instead of its name, which doesn’t work well for people on different instances. Try fixing it like this: !mastodon@lemmy.ml
Thanks, it’s a good point!
Anything posted to “Social Media” in any way, I consider public. If you want privacy, you need something that’s directly one to one at least, ideally E2EE.
couldn’t a malicious instance or fork just ignore who is trying to access the data and show all the toots that have been federated at all? anything that can be retrieved by another instance is public
it’s kinda like when Steam asks for your age when looking at an M rated game