Mastodon: What you need to know for your security and privacy

If you’re leaving Twitter for Mastodon, here are some things you should know.

Graham Cluley
@gcluley

Mastodon: What you need to know for your security and privacy

Mastodon is hot right now. After some years of only being used by geeks (yes, I’ve had an account for a while now) it’s at the tipping point of becoming mainstream… all because of two words:

Elon Musk.

Elon Musk’s purchase of Twitter, his erratic pronouncements, and the layoff of many of the site’s staff, has sent shockwaves through the Twitter community who are concerned about how the service might change.

So what’s the alternative. Many consider Mastodon to be a good new home. It’s free and ad-free, it doesn’t mine your data, it’s decentralised (which means that – unlike Twitter – there’s not one entity or crazy-ape-bonkers billionaire in charge of your content).

It’s perfectly possible – if you’re nerdy enough and fancy the job of maintaining a web server – to create your own Mastodon ‘instance’ (the name Mastodon users commonly use for a server) and be able to talk to anyone else on Mastodon.

Compare this level of control to your traditional social networks like Facebook or Twitter which control what you get to see in your timeline, mine for your personal data, and bombard you with targeted ads.

Mastodon isn’t like that.

If you’re interested in joining Mastodon, you can learn more about it here, or watch a video explainer.

You may even want to eventually follow me on Mastodon. I’m @[email protected].

But what I want to do in this article is mention some of the security and privacy considerations you should make if you’re going to start using Mastodon.

Passwords on Mastodon

Choose a strong, unique password for your Mastodon account. That means ensuring that you’re not using the same password elsewhere on the internet, and one that can’t be guessed by a friend, family remember, co-worker, or hacker with access to a database of 100 million of the most commonly-used passwords.

Ideally you should be using a password manager like Bitwarden, 1Password or LastPass to securely generate and store your passwords for you. I couldn’t tell you what my Mastodon password is, because I don’t know it. My password manager remembers it for me on my behalf.

Mastodon login 700

Two-factor authentication on Mastodon

Having a strong password is the first step, but I also recommend enabling two-factor authentication (2FA).

Once you have enabled 2FA, you won’t just be asked to enter your Mastodon username and password – you’ll also be asked for a two-factor code. This is a time-based one-time-password that can be generated by an authentication app on your phone.

Mastodon 2fa code request

The idea is that a hacker might have stolen or guessed your password, but they won’t know the special code is.

EmailSign up to our newsletter
Security news, advice, and tips.

Popular authentication apps that can generate codes for your account include Google Authenticator, Duo, and Authy. It’s possible your password manager (you have one of those, right?) also generates 2FA tokens.

You enable 2FA protection on your Mastodon account by logging into the account you have setup on your chosen Mastodon server’s website, and choosing Edit Profile > Account > Two-factor Auth.

Mastodon 2fa setting

Just follow the instructions there. You can also enable a hardware authentication key for additional physical security if you have one.

Direct Messages on Mastodon

This is an important one, as direct messages work differently on Mastodon than how they work on Twitter.

Direct Messages (DMs) on Mastodon are stored in clear text on the Mastodon server. They’re not encrypted. That means that they could be read by whoever is administering your Mastodon server. Furthermore, direct messages with users on other servers will be delivered to different servers and copies may be stored there.

Mastodon dm

In fairness, Mastodon does display a warning about this – but I wonder how many people will take that much notice.

There’s actually a similar privacy concern with Twitter. Twitter staff can read your DMs.

In short, if you want to say something private to somebody – don’t use Mastodon. You probably shouldn’t use Twitter either. Use a more secure end-to-end encrypted messaging system like Signal instead.

But there’s more danger potentially associated with direct messages on Mastodon.

Imagine you are having a direct message conversation with someone on Mastodon about a sensitive subject.

Maybe George and Paul are bantering via direct message on Mastodon, and one of them says “I’ll tell you who’s a twit. That bloody @Ringo”

Well, because @Ringo has been mentioned in the chat, he now sees a copy of the message too. Ouch, that’s awkward.

This would be particularly dangerous if you were communicating with another Mastodon user to report abusive behaviour. Suddenly your abuser knows you are complaining about them.

Email doesn’t work like that. Twitter direct messages don’t work like that.

(Sorry Ringo for using your name in this example, Peace and Love man!)

Verified users on Mastodon

As we all know one of the pickles Elon Musk has got himself embroiled in on Twitter is “verified accounts.”

Verified accounts on Twitter (the ones with a so-called “blue tick” – it’s actually a white tick on a blue background) used to be handed out for those free to public figures, celebrities, journalists and the like who had verified their identity with Twitter.

They also used to be free, but Musk appears to be hell-bent on doling out verified ticks to anyone who pays a monthly subscription for the privilege.

The rights-and-wrongs of that are outside the scope of this article, but what’s important for Mastodon users to know is that it doesn’t have a “blue tick” system.

Yes, Mastodon users can add an emoji of a blue tick to the end of their username if they wish (or an elephant, or an eggplant… the list is pretty much endless) but it doesn’t mean that they are verified.

But what Mastodon does do is let you self-verify yourself.

Mastodon verified settings

Here’s how Mastodon describes the process:

Mastodon can cross-reference the links you put on your profile to prove that you are the real owner of those links. In case one of those links is your personal homepage that is known and trusted, it can serve as the next-best-thing to identity verification.

If you put a link in your profile metadata, Mastodon checks if the linked page links back to your Mastodon profile. If so, you get a verification checkmark next to that link, since you are confirmed as the owner.

I have put a link on this website (grahamcluley.com) to my Mastodon account. To find out what link I had to put in, I logged into the account I have setup on my chosen Mastodon server’s website, and navigated to Edit Profile > Appearance.

In my case the link I have put on grahamcluley.com is: <a rel="me" href="https://mastodon.green/@gcluley">Mastodon</a>

And I have also put a link on my Mastodon account’s profile to grahamcluley.com. Mastodon checks that the two are pointing to each other, and displays a green tick against the appropriate link.

Mastodon verified

Anyone who wants to confirm that the Mastodon account [email protected] belongs to the same Graham Cluley who runs grahamcluley.com can see that tick, and know that I’m the real deal.

And now I’ll give you a real-life example of why this matters…

Be wary of following famous/celebrity accounts on Mastodon

Like I said at the beginning, Mastodon is hot right now. Most users are brand new to the site, and don’t know the dangers yet. Furthermore, many famous people and public figures may not yet have established a presence on Mastodon.

So, if you see a Mastodon account for someone famous, always check to see if their profile contains a verified link to their official website.

It’s child’s play for someone to create a fake account in the name of a famous person, and then use the account to spread disinformation, cryptocurrency scams, or malicious links. It would be much much more difficult for a scammer to add a verified link from the account to the celebrity’s official website.

More to be said

There’s probably a lot more to be said about how to behave safely and securely on Mastodon, but much of it applies to *every* website you post to on the internet. Be wary of links that are shared, don’t trust everything you read, never share your password, be careful not to be phished, etc etc.

As Mastodon becomes more popular it is almost inevitable that scammers, cybercriminals and fraudsters will attempt to exploit unsuspecting users.

For more discussion of the tips I’ve included in this article, be sure to listen to this episode of the award-winning “Smashing Security” podcast:

Smashing Security #297: 'Mastodon 101, and the Hushpuppi saga'

Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
More episodes...

Take care of yourself and any friends who are venturing onto Mastodon, and if you have any questions either follow me on Mastodon or leave them below.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.

6 comments on “Mastodon: What you need to know for your security and privacy”

  1. Jon Ribbens

    It might be worth pointing out that verification doesn't seem to get transmitted between servers. For instance, if I click on you on my Mastodon server, it takes me to the URL https://mastodon.social/@[email protected], which shows your information and your links, but not the fact that one of the links is verified. (Note that if you're not logged in as a user on mastodon.social, that URL will just redirect you to mastodon.green instead.)

  2. Micah Wyatt

    counter.social is the only way to go. Full featured and secure.

  3. Richard Gadsden

    It's worth adding that if there are lots of users associated with one domain that need to be verified, that domain / organisation will sometimes set up their own Mastodon instance and say that everyone on that instance is verified to be associated with their organisation.

    For instance MIT (big university near Boston in the USA) has its own Mastodon instance at https://mastodon.mit.edu/ and the only people allowed to have accounts on it are staff and students at MIT, so any account on that instance can be verified as being from MIT – so anyone claiming to be an MIT professor and using some other instance is clearly dodgy.

    1. MJ Ray · in reply to Richard Gadsden

      "anyone claiming to be an MIT professor and using some other instance is clearly dodgy" or doesn't want their employer storing and censoring their social life.

  4. Sean Sullivan

    A suggestion for describing Mastodon DMs to muggles who are Mastodon curious.

    Mastodon DMs are DIRECT messages. They are not PRIVATE messages.

    It's similar in a way to Facebook profile posts. On Facebook, if you have "Who can post on your profile?" set to "Only me", then the only way of directing a message towards you is via Messenger (one-to-one). But if you have "who can post" set to "Friends", well, then your Facebook friends can write a message on your profile, or wall as people used to say (one-to-many potentially). The typical use case for this: Happy Birthday! 🙄

    It's possible to reply back-and-forth to such messages and others won't be prompted about the thread. BUT… it is also possible to mention/tag people in the replies of such posts and they'll be notified and pulled into the conversation. And all of it is generally visible to the larger group. Sort of like a private conversation in a public room at a party. If you call somebody over, it then becomes a direct conversation between three people.

    In Mastodon's case, one must remember that the party host (the person running the server) is able to see everything at the party.

    People often confused Facebook "wall posts" for private conversations back in the day. Hopefully that won't be the case on Mastodon – but I suspect that history will rhyme if people start adopting it en masse.

    1. wigbert · in reply to Sean Sullivan

      this is quite a useful comparison – thank You !

      – just curious: any admin at a server can ALWAYS ? see all content?
      – how do we actually know, WHO indeed is running a particular server?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.