The Fedilab developer just admitted to acting in bad faith by removing the user agent identification from their client.

I can understand a browser changing the user agent to something else for compatibility reasons, but for a client to deliberately remove identification to evade the wishes of the servers they connect to?

That’s not something well-behaved clients usually do...

>The Fedilab developer just admitted to acting in bad faith by removing the user agent identification from their client.

"Just admitted", you're strong for manipulating 🙄

@fedilab how would you characterize removing the user agent explicitly for the reason so that your client can evade a ban?

If you would be consistent in your principles of allowing your app being used to access all content including hate speech, then why would you have an issue with servers exercising their free will and choosing to revoke access for your client?


^^ this is what I mean when I say that people argue in bad faith when it comes to white supremacists. If you argue for certain principles then it has to be applied consistently.

@szbalint @fedilab Being an intolerant, judgmental bully is really helping your case there, buddy

@fedilab @szbalint same to you, I don't want to use a client with an unresponsive, flippant dev and will be recommending that nobody else who's looking for a client does either

@fedilab @szbalint Hello fedilab account. Please go fuck yourself in hell, you self-satisfied shithead coward.

@fedilab @szbalint lol as soon as you get called out for enabling abusive behaviour you drop blocks and scramble. Fuck outta here froggy.

@szbalint @fedilab well, thanks for confirming that my decision to stop using fedilab was the correct one I guess?

@szbalint @fedilab i thought people like you would allow the devs to do what they wish? like rickrolling gab? or its only ok when the devs of a project to do things to people you don't like?

@szbalint That makes it a bit more difficult but you can still block it from your instance.It registers an API token with "Fedilab" as application name.You can check for that directly in the Mastodon software.It's currently not possible to ban whole apps using the admin menu but maybe you can add a check yourself somehow.

@nipos @szbalint this SHOULD work, but i'm not 100% so maybe test it on a dev instance beforehand

@zoe @nipos @szbalint I feel like I need to mention that the one receiving the 403 error will not be the Fedilab developer but the end-user. And they won't have a clue why.

@Gargron @nipos @szbalint Obviously, yes, but I wasn't sure what the proper protocol for making the text say "Please use a different client" was and I had the feeling anything else would send up a 500, which would be even more confusing

@Gargron @szbalint @zoe Yes,that's really not a perfect solution but it's a small workaround that does its job more or less.Would be cool if there was a possibility for instance admins to block clients and also tell the users why it's blocked.Sure,some shit like FreeFedilab will pop up then but I don't see any better solutions.

@nipos @Gargron @szbalint Honestly just a quick .env option would probably work far better than the mess I'm doing

@nipos @Gargron @szbalint (besides, we do fine enough blocking instances as they pop up anyway, and editing an app takes development knowledge, god forbid)

You know it's not possible to block a client.
At least, people will see a random string as a client. Also the app doesn't use a custom user agent for weeks.

You could stop all this shitstorm with few words, like it was created weeks ago by asking dev to take their responsibilities.

As far as I know, Mastodon doesn't block instances by default and no one harasses you for not doing it. Just don't let some people enrol some users by abusing of their lack of knowledge.

@szbalint privacy respecting clients should use generic user strings, but that's more like a defense against tracking. fedi isn't as much of a privacy risk just yet. as long as ap servers act as proxies anyway.. otherwise a lot of servers could observe you easily. I mean, its fundamentally the same design as email, so there are a lot of opportunities for leakage..

then again, probably not respectful to hide from your instance admin unless they're cool with it.

@szbalint For your information, SubwayTooter has an option to customize the user-agent and I found this feature very funny.
I suggest #fedilab to implement user-agent switcher which is kind easy to do but needs token regeneration.

Fork it.

@szbalint Go to app settings :
Customize your fields then update your app token and check my app name in this toot ?

@szbalint I think that all the apps are allowing this, take Pinafore, Brutaldon and all the other proxy-posting clients allow to change the user-agent and the name of the app and behave like a simple browser.

@szbalint You'd better work for a government that is looking to devellop ways to filter bits and look inside the frames.

@szbalint Well behaved servers don't discriminate by user agent. Every major browser supports changing the user agent string. Changing user agents is fine. Discriminating by user agent is acting in bad faith. It's security by obscurity at best.

@petit @szbalint Admins can exercise their free speech by blocking any client they want. You are literally censoring them.

@felix @szbalint Changing user agents does not conflict with the free speech of the admin.
@felix @szbalint Would you be kind enough to point out who is speaking and what they are being prevented from saying?
@felix @szbalint Sometimes I worry I'm taking certain truths for granted, so I try to prepare myself for being wrong. On ocassion, my mind has changed and I've felt ashamed or embarassed. Free speech has been an island of safety and security. The people who don't think open discussions are worth anything are so inept at convincing people I never have to worry I'm wrong about free speech. Life is good!
@szbalint :( I bought fedilab without knowing about this stuff because it was what some old guide recommended. Does anyone have a more up to date overview of options?

Disagreement, gab 

@szbalint Removing user agent ID is even a standard setting on the mastodon web UI and most of the client apps as well.

Preferences->Other, look for "Disclose application used to send toots"

@gaab @szbalint That's not what's happening here. It's more like if GoogleBot or some such suddenly started sending the useragent for Firefox instead -- with that preference, the server itself still knows who you are, it just doesn't tell other people on the instance

@szbalint By that reasoning, Tor Browser, and even Firefox with anti-fingerprinting mode enabled, are also "acting in bad faith".

@tga anti-fingerprinting is about protecting the user’s privacy by not leaking personally identifiable data. A user agent string is not personally identifiable but rather specific to an application with all it’s users.

There is a big difference also between a user deciding to change the user agent for their installation (which I have no problem with) vs the developer for every user by default.

Tor Browser and Firefox with anti-fingerprinting enabled spoof their user agent to reduce the ability of the server to run fingerprinting code on said useragent (e.g., they identify the OS as Windows, and decrease the version to the last ESR). The user doesn't opt in, and many serverers try to identify the user agent anyway using other avenues (e.g., TCP stack config). Some sites, like the NYT, will disable the site if they detect this behavior, because ads.

@tga yeah which is a valid usecase so that the Tor using population doesn’t stand out too much for understandable reasons. It’s effectiveness is a different matter though.

I mean at this point it comes down to intent and why a certain app is doing something and who they have in mind to prioritize.

@szbalint your point was that mastalab was somehow acting in bad faith by using a user agent that let their users access the content they wanted, because it circumvented server-side blocks. I agree that the creators have made some disappointing decisions lately, but acting like spoofing a user agent is some nefarious ploy is a disingenuous description of a fairly standard practice.

@tga it depends on intent, fedilab made this modification not for privacy reasons but because they wanted to be both serving white supremacist users and then not have that decision affect the app in any way.

A fediverse server is not the open web. You need to register a user account and that comes with terms of service.

Deliberately going against instance admins here is not some benign change to the user agent that might be the case for a browser. This is the context.

@szbalint This is sickening and cowardly. How do you propose we make sure that the nazi developer "Fedilab" (if that is even his real name) can't avoid this client ban anymore?

@szbalint @Gargron Is intentionally hiding your user agent as an inbuilt client feature even allowed? It seems like it would inherently lead to abusive and duplicitous practices.

@V @szbalint User agent is not a necessary header and is not processed by Mastodon in any way. I don't know if any apps send it at all.

@Gargron @szbalint Ah, I see. Thanks for the quick response!

@szbalint fedilab are abusive fascists and it's clear at this point. They dumped a whole load of fashy trolls on one of my girlfriends because she asked a relatively harmless question, and i got shit too for pointing out they were allowing access to spaces where racist, antisemitic mass shootings are planned and celebrated.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!