Mastodon: What you need to know for security and privacy

Mastodon is hot right now. After years of being used only by geeks (yes, I’ve had an account for a while), we’re on the cusp of becoming mainstream…all thanks to these two words of his.

Elon Musk.

Elon Musk’s acquisition of Twitter, his outrageous remarks, and layoffs of many site staff have shocked the Twitter community, who are concerned about how the service might change.

So what are the alternatives. Many consider Mastodon a good new’s free When No ads, no mining of your data, and decentralized (that is, unlike Twitter, there is no entity or crazy ape billionaire responsible for your content).

If you’re geeky enough and like the job of maintaining a web server, create your own Mastodon “instance” (the name Mastodon users commonly use for their servers) and talk to other people on Mastodon. It is perfectly possible to allow

Compare this level of control to traditional social networks such as Facebook and Twitter. Facebook and Twitter control what you see on your timeline, mine your personal data, and bombard you with targeted ads.

Mastodon is not.

If you are interested in participating in Mastodon, Click here for detailsor watch video commentator.

Eventually you may want to follow me on Mastodon.I

But what I want to do in this article is mention some security and privacy considerations to consider when getting started with Mastodon.

mastodon password

Choose a strong and unique password for your Mastodon account. That is, you are not using the same password anywhere else on the internet, and you are using a password that cannot be guessed by friends, family members, co-workers, or most commonly hackers with access to his 100 million database. means to make sure there is no – Password used.

Ideally, passwords should be securely generated and stored using a password manager such as Bitwarden, 1Password or LastPass. I don’t know the Mastodon password, so I couldn’t tell you. My password manager remembers it for me.

Mastodon two-factor authentication

Setting a strong password is the first step, but we also recommend enabling two-factor authentication (2FA).

With 2FA enabled, you’ll be asked to enter a two-factor code in addition to your Mastodon username and password. This is a time-based one-time password that can be generated by your authenticator app on your phone.

The idea is that a hacker might have stolen or guessed your password, but would not know what the special code was.

sign up for newsletter
Security news, advice and tips.

Popular authenticator apps that can generate codes for your account include Google Authenticator, Duo, and Authy. A password manager (you have one of those, right?) could also generate a 2FA token for her.

Log in to the account you set up on your chosen Mastodon server website and enable 2FA protection for your chosen Mastodon account. edit profile > account > Two-factor authentication.

Follow the instructions there. If you have a hardware authentication key, you can also enable it for added physical security.

Mastodon direct message

This is important because direct messages work differently in Mastodon than in Twitter.

Mastodon direct messages are not encrypted. These are stored in plaintext on Mastodon servers. This means that anyone who maintains the Mastodon server can read it. In addition, his direct messages with users on other servers may be delivered to another server and a copy stored there.

To be fair, Mastodon will warn you about this.

In other words, if you want to say something private to someone, don’t use Mastodon. Use a more secure messaging system such as Signal instead.

But there are other dangers that can be associated with direct messages.

imagine you that is Have a direct message conversation with someone on Mastodon about a sensitive topic.

Maybe George and Paul are joking in Mastodon direct messages. That bloody @Ringo”

Well, since @Ringo was mentioned in chat, He got to see a copy of the message as well. Hmm, difficult.

This is especially dangerous if you are communicating with another Mastodon user to report abuse. Suddenly the abuser realizes you are complaining about them.

Email doesn’t work that way. Direct messages on Twitter don’t work that way.

(Sorry for using your name in this example, peace and love man!)

Mastodon Authenticated User

As we all know, one of the pickles Elon Musk got caught on Twitter is the “verified account.”

Twitter’s verified accounts (so-called “blue checkmarks” – accounts that actually have a white checkmark on a blue background) were distributed free of charge to celebrities, celebrities, journalists, etc. who verified their identity. on Twitter.

Those, too, used to be free, but Musk seems desperate to distribute verified ticks to those who pay for monthly subscriptions for that privilege.

The good and bad of it is beyond the scope of this article, but one important thing Mastodon users should know is that there is no “blue check” system.

Yes, Mastodon users can add a blue checkmark emoji to the end of their username if they wish (or an elephant, or an eggplant… the list is almost endless).

But what Mastodon does is allow it to authenticate itself.

Mastodon describes this process as follows:

Mastodon can cross-reference the links you put in your profile to prove that you are the true owner of those links. If one of these links is the home page of a known and trusted individual, it works as a workaround for identity verification.

If you put a link in your profile metadata, Mastodon will check if the linked page links to your Mastodon profile. If so, you’ll see a verification checkmark next to the link because you’ve been verified as the owner.

I have posted a link to my Mastodon account on this website ( To see which link I needed to enter, I logged into the account I had set up on his website for her Mastodon server of choice and navigated to: edit profile > exterior.

In my case the link I put on is: <a rel="me" href="">Mastodon</a>

We’ve also added a link to to your Mastodon account profile. Mastodon will make sure that the two are pointing to each other and show a green checkmark for the correct links.

Anyone who wants to verify that the Mastodon account belongs to the same Graham Cluley who runs can see that tick and know that I am real. increase.

So here’s a working example of why this matters…

Be careful about following famous/celebrity accounts on Mastodon

As I said at the beginning, Mastodon is hot right now. Most users are new to this site and do not yet know the dangers. Additionally, many celebrities and public figures may not yet have established their presence on Mastodon.

So, whenever you come across a celebrity’s Mastodon account, be sure to check if that person’s profile contains a verified link to their official website.

It is child’s play for someone to create a fake account in the name of a celebrity and use that account to spread disinformation, cryptocurrency scams, or malicious links. It is much more difficult for scammers to add a verified link from their account to a celebrity’s official website.

should say more

There’s probably more to be said about how Mastodon works safely and reliably, but much of it applies to *any* website that posts on the internet. Be careful with shared links, don’t trust everything you read, never share passwords, be careful not to be phishing, etc.

As Mastodon grows in popularity, it is almost inevitable that scammers, cybercriminals and crooks will try to exploit unsuspecting users.

Take care of yourself and your friends who are about to step into Mastodon. If you have any questions, follow me on mastodon Or leave them under.

Did you find this article interesting? Follow Graham Cluley on Twitter Also Mastodon To read more about the exclusive content we post.

Graham Cluley is a veteran of the antivirus industry and has worked for many security companies since the early 1990s when he created the first version of Dr. Solomon’s Antivirus Toolkit for Windows. He is now an independent security he analyst, makes regular media appearances and speaks internationally on the topics of computer he security, hackers and online he privacy. Follow him on Twitter. @gcluleyfor Mastodon @gcluley@mastodon.greenor drop him an email.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog