Mastodon newbie protip: don't click the "remote follow" button. Just copy the user's URL and paste it into the search bar of your home instance, then click the follow button (the little icon of a person with a "+" on it).
Not only is "remote follow" slower and more awkward; it's a potential security risk, because a malicious instance could trick you into giving them your password (if you're not paying attention to the URL bar).
@nolan
True that if an admin enters his/her username and password in a page without checking where he/she is then he/she should be banned for being an admin of anything ;-)
Anyway it seems like if I'm already logged in my instance the remote site only asks for the username which is OK.
Even if you may have a dynamic IP this can be used for #geolocating your position or to scan your IP for open ports. Maybe not what privacy-minded people expect.
Now that there are #company-owned large Mastodon instances this could become an issue.
@nolan remote follow doesn't ask for my password, just my username?
@frankiesaxx Only if you're already logged in. Try in a private browser window.
@nolan sorry to be a complete dullard but where / what is the 'remote follow' button?
Is that the button that appears next to the profile of someone on a remote instance, when it's displayed in the fourth column?
@quirst It's a button that literally says "remote follow." 😉 You can check the profile of a remote user that you don't follow to see what I mean; if you're at example.com/@username then you'll see it.
@nolan Oh! That's a good tip. I didn't realize the security implications.
@nolan Bonjour, Newbie here. Thanks for the tip. Am I doing it right here? I clicked on the little man holding the cross (guess he's Jesus Christ) after pulling up your profile.
btw your profile shows only 1 follower: me. This cannot be right, huh? I got 20 followers with just 3 inane posts.
@neither Yes you have to click on the profile pic to see the full number. It's complicated and has to do with which users your instance is "aware" of. 🙂
@nolan I had no idea those two actions did different things. Thanks!
I don't see any issues on the Mastodon repo mentioning that "remote follow" is a phishing opportunity, and that we're training users to do something that could get exploited one day. I'd file an issue, but there are so many infosec people on here, maybe someone else could articulate it better than me? Or maybe I'm overestimating the risk? /cc @munin @bcrypt