The Challenges and Pitfalls of The Fediverse

Think Usenet or FidoNet

If you’re old enough to have used computer back in the 80’s or 90’s, you might be well aware of the two mentioned in the title. Usenet was a program that was distributed using the NTTP protocol for running a type of threads forum, where messages were relayed to anyone subscribed to these threads. Control was still dominated by the centralized host, called nodes, which relayed these messages via FidoNet, a network of dial-up computers calling one another at certain times through out the day to relay email and messages between Bulletin Board Systems (BBS).

The problem was still the same as the Fediverse, those who ran nodes controlled who could and couldn’t send messages. SysOps, or System Operators (those who ran and owned the BBS you dialed into) could read your unencrypted emails, send direct replies to you, or just ban you if you didn’t “fit”.

You’ve Got Mail

If you ever wanted to know what’s the longest lived federated network, email is the one that comes to mind. You as a user, lived on an email server where you could send and receive electronic mail from either people on the same email server or anywhere else connected to the internet (via relay).

Email originally was only used to send messages from one user to another on the same machine. Then an additional protocol was added to allow sending emails through a network from one machine to another. FidoNet had its own additional set of routes for sending emails.

Once DNS became a thing, using the authority of Top Level Domains and domain names, email could be passed between servers accepting emails from users from a valid domain name of the TCP/IP protocol via the internet. And so, modern email was born.

A simple set of protocols for who owns what domain name and the email server for who is this username is basically the same type of principle that the fediverse is today. Most people do not run their own email servers and mostly use a free provider either from a major player like Google or Microsoft, or one provided to them via their ISP.

And if you’re crafty (crazy?) enough to run and host your own email server, you’ll know just how challenging it is today. Believe me, I ran an email server for over a decade, both Windows Exchange and postfix.

For those not in the aware, you have more or less the following:

  • Spam – Need I say more about the endless amount of spam?
  • Spoofing – Due to a variety of means, spoofing someone’s address does still happen.
  • Blacklisting – Not only does the spam or spoofing effect the end user, but it can ban/block a legit email server.
  • Authentication – There are a few different methods for authenticating one’s self for sending or receiving emails.
  • DNS – Ye old following the correct protocols for sending/receiving email besides just the correct A address for your MX lookup like DMARC, DKIM, SPF, TXT…

I don’t want to digress from the topic at hand but you get the idea that there is a lot to know about running an email server. I won’t even touch on the security of the email software like running an open relay server or wildcard email addresses.

But just like email, the Fediverse is going to run into the same problems. You’ll have issues with spam, issues with the hosting providers, how to authenticate who is actually who. Malicious attempts at phishing, spoofing, etc will all be somewhat similar and we will need similar tools to combat it, sooner than later.

And here’s the rub with email. Today, there is only a handful of major players or gate keepers of email and they dictate who can and can’t play. Back in the 90’s, if you had the means, you could run your own email server. Believe it or not, FidoNet ran open email relays, something unheard of today due to spam and spoofing. And I’m not talking about your ISP blocking port 25 for sending/receiving email via the SMTP protocol, I’m just talking about barriers like Google blacklisting your email server ip address just because.

So I’ll sum it up below but the pains and growths that Mastodon is soon to face and will have to have a solution to survive:

  • There will come a day when a major Mastodon server goes offline or the data is lost. It will become apparent to users that there is no cloud scaling backup or billion dollar corporation to bail it out and will need to start completely over, user count and all.
  • Sooner or later, the spam and spoofing will start to take hold when Mastodon reaches the hockey stick level of growth. I’m not even saying it’s a bad thing, it shows that Mastodon has a future. But it’ll need to way to figure out how to deal with it. Do we use bloom filters?
  • Authority. As it stands, for most users anyway, there is a trust of knowing who is who. There is no main “index” in a sense of lookup all users and trying to find someone. Without a way for an authority check, this is going to make spoofing a major concern. The best outcome is major corporations run their own certified Mastodon server using their domain name, like
    • Again though we’re relying on individuals who click on shoddy emails thinking its from a legit source to know how to validate a domain name and know the user they are following really is the Microsoft News account.
    • This will rely on creating a client side validation protocol as in a public/private key to validate the user you’ve looked up is not only valid, but the correct authority over X domain.
  • Beware of the major player moving in like Meta or Google offering free accounts. Sure, it’s going to be robust and trusted, but if the player becomes dominate enough, you’ll end up with a gatekeeper on who can connect to who (Just like email). Want to setup your own Mastodon server and talk to Google users, too bad, Google has by default blocked your instance because your not a fortune 500 company.
  • Running your own server will have challenges besides technical, like legal issues with hosting pirated, offensive, or illegal content. You’re going to want to run a few things by a lawyer if you plan to run your own open instance. Your ISP might not like the content found on your server either and a simple DMCA request is going to have you working overtime to not have your instance pulled.
  • Running your own single user, in-house server might alleviate some of the issues above but it’ll open the door for others like being DDoSed or your ISP blocking port 80/443.

In the end I’m not trying to doom and gloom the Fediverse, but in its infancy, it has a long way to go. Here’s looking to the future.