What you need to know for your security and privacy • Graham Clewley
Mastodon is hot right now. After a few years of geek-only use (yes, I’ve had an account for a while now), it’s on the cusp of becoming mainstream… all because of two words:
Elon Musk’s purchase of Twitter, his erratic announcements and the firing of many of the site’s employees have sent shockwaves through the Twitter community, who are concerned about how the service might change.
So what is the alternative? Many consider Mastodon a good new home. It’s free and: Ad-free, it doesn’t use your data, it’s decentralized (which means, unlike Twitter, there’s no one organization or mad-monkey-angry billionaire in charge of your content).
It’s entirely possible, if you’re crazy enough and want the work of maintaining a web server, to create your own Mastodon “instance” (the name Mastodon users usually use for the server) and be able to talk to anyone on Mastodon.
Compare this level of control to your traditional social networks like Facebook or Twitter, which control what you can see on your timeline, mine your personal data, and bombard you with targeted ads.
Mastodon is not like that.
You might even want to follow me on Mastodon eventually. me @[email protected].
But what I want to do in this article is to outline some of the security and privacy considerations you should make if you’re going to start using Mastodon.
Passwords in Mastodon
Choose a strong, unique password for your Mastodon account. That means making sure you don’t use the same password elsewhere on the Internet, and one that a friend, family member, colleague, or hacker can’t guess with access to 100 million of the most popular databases. – passwords used.
Ideally, you should use a password manager like Bitwarden, 1Password, or LastPass to generate and store your passwords securely for you. I couldn’t tell you what my Mastodon password is because I don’t know it. My password manager remembers it for me on my behalf.
Two-factor authentication in Mastodon
Having a strong password is the first step, but I also recommend enabling two-factor authentication (2FA).
After enabling 2FA, not only will you be prompted to enter your Mastodon username and password, but you’ll also be prompted for a two-factor code. This is a time-based one-time password that can be generated by your phone’s authentication app.
The idea is that a hacker may have stolen or guessed your password, but they won’t know what the special code is.
Popular authentication apps that can generate your account codes include Google Authenticator, Duo, and Authy. Your password manager (you have one, right?) may also generate a 2FA token.
You enable 2FA protection on your Mastodon account by logging into the account you created on the Mastodon server website of your choice and selecting: Edit profile >: Account: >: Two Factor Auth.
Just follow the instructions there. You can also enable a hardware authentication key for additional physical security if you have one.
Direct messages on Mastodon
This is important because direct messages work differently on Mastodon than they do on Twitter.
Direct messages on Mastodon are not encrypted. They are stored in clear text on the Mastodon server. That means they can be read by whoever manages your Mastodon server. Furthermore, direct messages with users on other servers will be delivered to different servers and copies may be stored there.
To be fair, Mastodon does display a warning about this, but I wonder how many people will pay that much attention.
In short, if you want to tell someone something private, don’t use Mastodon. Use a more secure messaging system like Signal instead.
But there is more danger that can be associated with direct messages.
Imagine yourself are Having a direct message conversation with someone on Mastodon about a sensitive topic.
Maybe George and Paul are pranking Mastodon via direct message and one of them says, That bloody @Ringo”
Well, since @Ringo is mentioned in the chat, he now also sees a copy of the message. Oh, that’s awkward!
This would be especially dangerous if you contacted another Mastodon user to report abusive behavior. Suddenly your abuser knows you’re complaining about them.
That’s not how email works. Twitter direct messages don’t work that way.
(Apologies to Ringo for using your name in this example, peace and love man).
Verified users at Mastodon
As we all know, one of the pickles Elon Musk has gotten himself into on Twitter is “verified accounts.”
Verified Twitter accounts (those with the so-called “blue tick” — it’s actually a white tick on a blue background) used to be given out for free to public figures, celebrities, journalists, and the like who verified their identities. with Twitter.
They used to be free, too, but Musk seems eager to provide verified ticks to anyone who pays a monthly subscription for the privilege.
Its rights and wrongs are beyond the scope of this article, but what is important for Mastodon users to know is that it does not have a blue tick system.
Yes, Mastodon users can add a blue tick emoji (or an elephant, or an eggplant… the list is pretty much endless) to the end of their username if they want, but that doesn’t mean they’re verified.
But what Mastodon does is let you check for yourself.
Here’s how Mastodon describes the process:
Mastodon may cross-reference the links in your profile to prove that you are the actual owner of those links. When one of those links is your personal homepage, which is known and trusted, it can serve as the next best thing to identity verification.
If you put a link in your profile metadata, Mastodon checks to see if the linked page links to your Mastodon profile. If so, you get a check mark next to that link because you’re verified as the owner.
I have posted a link to my Mastodon account on this site (grahamcluley.com). To figure out what link to post, I logged into the account I created on my chosen Mastodon server website and navigated to Edit profile >: External view.
In my case, the link I put on grahamcluley.com is:
<a rel="me" href="https://
And I also put a link on my Mastodon account profile to grahamcluley.com. Mastodon checks that the two point to each other and displays a green tick against the corresponding link.
Anyone who wants to verify that the Mastodon account [email protected] belongs to the same Graham Cluley who runs grahamcluley.com can see that sign and know I’m the real deal.
And now I’ll give you a real example of why this is important…
Be careful about following popular/popular pages on Mastodon
As I said at the beginning, Mastodon is hot right now. Most of the users are completely new to the site and still don’t know about the dangers. Furthermore, many celebrities and public figures may not have confirmed their presence at Mastodon yet.
So if you see a Mastodon account for someone famous, always check if their profile contains a verified link to their official website.
It’s child’s play when someone creates a fake account with a famous person’s name and then uses it to spread misinformation, cryptocurrency scams, or malicious links. It would be much more difficult for fraudsters to add a verified link from an account to a celebrity’s official website.
More to say
There’s probably a lot more to say about how to be safe and secure on Mastodon, but most of it applies to *every* website you put on the internet. Be wary of shared links, don’t trust everything you read, never share your password, beware of phishing, and more.
As Mastodon becomes more popular, it’s almost inevitable that scammers, cybercriminals and fraudsters will try to exploit unsuspecting users.
Take care of yourself and any friends who are embarking on Mastodon and if you have any questions too follow me on Mastodon! or leave them below.
#security #privacy #Graham #Clewley