Junaid Bhura a web developer in Melbourne, Australia - specializing in WordPress development.

Open Source Opinion Web Development

ActivityPub: This ain’t it, Chief

Elon Musk’s purchase of Twitter makes no difference to me, but I’m extremely stoked about its unintended side-effect: People considering alternate platforms, and better yet, their own websites to share their thoughts.

The W3C’s official protocol for “federated” social media is called ActivityPub. With the W3C’s blessing, it is now an official web protocol, which means that it has widespread adoption.

This means that users on independent websites can now “talk” to each other by sending messages back and forth in a way that those websites can “understand”. Hundreds and thousands of these inter-connected websites have now become what is called the Fediverse.

Open source platforms like Mastodon and other services like micro.blog with totally different users can now talk to each other! This sounds pretty awesome. Looks like we’ve solved social media!

Except we haven’t!

The ActivityPub protocol sounds pretty cool, and me being me, I just had to try to come up with my own server built on it. A few sleepless nights later – it finally dawned on me:

ActivityPub is extremely inefficient, and an invitation for spammers!

Lets tackle these one by one:

1. ActivityPub is inefficient

Lets say you have a blog or a microblog or whatever, and you’ve decided to make it available to the Fediverse. You start to get popular, and you have a thousand people following you from hundreds of servers.

Its now your job to send every one of those followers an update every single time you write a post. That’s right, your poor server has to notify a thousand people that you have made an update!

To make things even more inefficient, each sender has its own SSH key and each message to a receiving inbox has its own unique signature. So your server now has to not only send the message, but process its signature before doing so.

But worst of all is the message is sent to the receiver’s inbox directly, not the host. So let’s say that a big instance like mastodon.social has a thousand people following you. You make a simple status update like “I ate pie today”, and instead of you giving mastodon.social the update, you have to send every single one of the one thousand followers – all on the exact same server – a copy of the exact same message, and process a different signature for each one of them! Just a general status about pie, not aimed at anyone! And you wanted to reduce your carbon footprint.

Also, why is it my job to inform all my followers that I have an update?

This is discouraging for people who want to host their own server and will ultimately drive people to create accounts on a third-party service. The protocol, in its current state, is for large hosts – not independent users. In other words, this is similar to hosting your own email server – not a blog.

Hey and by the way, did you know that changing your handle or domain on the Fediverse doesn’t automatically update your followers to your new one?

2. ActivityPub is an invitation for spammers

It is super easy to set up an Actor on ActivityPub. Add a link to your profile in .well-known/webfinger in the root of your server and this script:

<?php
header( 'Content-Type: application/json' );
echo json_encode(
	[
		'@context'          => [
			'https://www.w3.org/ns/activitystreams',
			'https://w3id.org/security/v1',
		],
		'type'              => 'Person',
		'id'                => 'https://yoursite.com/users/fake-user',
		'preferredUsername' => 'fake-user',
		'name'              => 'Fake User',
		'summary'           => 'Im a fake user!',
		'inbox'             => 'https://yoursite.com/users/fake-user/inbox',
		'outbox'            => 'https://yoursite.com/users/fake-user/outbox',
		'followers'         => 'https://yoursite.com/users/fake-user/followers',
		'following'         => 'https://yoursite.com/users/fake-user/following',
		'likes'             => 'https://yoursite.com/users/fake-user/likes',
		'icon'              => [
			"type"      => "Image",
			"mediaType" => "image/png",
			"url"       => "https://en.gravatar.com/userimage/xxx/xxxxx.png",
		],
		'publicKey'         => [
			'id'           => 'https://yoursite.com/users/fake-user#main-key',
			'owner'        => 'https://yoursite.com/users/fake-user',
			'publicKeyPem' => "-----BEGIN PUBLIC KEY-----(YOUR PUBLIC KEY)-----END PUBLIC KEY-----",
		],
	],
	JSON_UNESCAPED_SLASHES
);

Boom! You now have a user profile in the Fediverse. That’s it. No Mastodon account needed!

You can now – as this “user” – send messages to Mastodon or any server in the Fediverse! There is no authentication or verification that you are a real person!

RSS and comments FTW!

The ActivityPub specification has not been updated in years now. And in my opinion fails to provide a lot of the freedoms good old RSS and comments do. Any comment you make on this post will be a part of this website. I can take all the comments and blog posts in this portable format and move it to any host or any domain that I choose. And I’m free to change my domain to something totally different and do a 301 redirect from the old to new domain.

Do you like my posts? Why not subscribe to my RSS feed?

See how easy that is?

Leave a Reply

Your email address will not be published. Required fields are marked *