I noticed that there were some accounts that were hijacked by the instance owners. All the posts from that user were then edited to say what happened.

This kind of surprised me, I figured instances could delete posts, but not edit them. So how much control do they have?

I assume they can’t see my password (hopefully). Can they post in my name? Do they have all the access to my posts to foreign instances that they do over local posts?

Edit: thanks for all the responses everyone! I’ve wanted my own instance for a while, but maybe I’ll get on it now

    • DavyJones@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Sure but you can also post your public key somewhere else for people to verify.

      Or instances could store public keys of users from other instances, sorta like blockchain validation.

      • Skull giver@popplesburger.hilciferous.nl
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        1 year ago

        Public/private keys are already part of the ActivityPub validation mechanism. Every user/community/server has their own unique keys.

        Your public key is:

        -----BEGIN PUBLIC KEY-----
        MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6yo7z/lmj/W1G5+/FnIg\nVqqLWq/h5MU88eUB6DaJkEqaz0hTslG21MaMT0KmgAnef0PwvchnPDryIUKXHY6z\nk34KakBUpgZWbGEeqm0r4YdRVHU5a+l8Rbb4lH5pp0I1IdiGftMYuYcON92V8F8H\n4VRKMNe8kCwk8VbVovigqrNW288juqAeXNG9xanNE3a5Bjke6+HlG0fa1lU2xoIL\nevpqA85Xf/sd0qhrk4gt4Lqcwp7bNt6liDNubAnWRjeDbL8hmbkz/D047Ffw/zD8\nfdfkgPepF2YshvtuudhdKaAfM4fG0X+L+D0ujHdQZUMj89lRRRxT0TmzQniIyHJj\nAQIDAQAB
        -----END PUBLIC KEY-----
        

        I found it using this command: curl -H "Accept: application/activity+json" https://lemmy.dbzer0.com/u/DavyJones

        This key is stored and under the control of your server admin, of course. It mostly exists to protect other people from impersonating you in the federated network.

        There’s no reason why you couldn’t just wrap the messages you post in a PGP signature, though.