Servers list "leak"?

[scambier]

When you login on elk.zone, the app has an autocomplete feature for the server. The servers list comes from https://elk.zone/api/list-servers. I guess there are many small single-user instances in this list, with alpha software (e.g. GoToSocial), and certainly configured with less-than-ideal security settings. I feel like this is a potential targets list for attackers.

While this feature is certainly nice to have for UX and accessibility, would it be possible to not display instances until they're under a certain threshold of usage? I.e. don't publicly display an instance until there is 100 (or whatever value) logins for it, and remove it automatically when no-one has filled it for X days.

Thank you.

[Kowlin]

I've noticed this my self to. I recently starting diving into the whole fediverse, and I setup a single person instance on a url that I have not shared to the outside world, whereby I used Elk as my client of choice to interact with those instances (both a Mastodon and Gotosocial on seperate domains).

What I've noticed that despite not deliberately sharing my instance URLs, I found my self federating with instances that weren't coming from me and other oddities such as receiving a automated email from a good actor informing me about the latest Mastodon CVE.

Which led me down the rabbithole of trying to see where my domain was being spread, and after checking the given API endpoint I can say that both of my URLs are in there. And while I cannot say with full certainty that the list caused this. It also wouldn't be far reached that a list like this already wouldn't be scraped for a list of instances that may or may not be alive.

I do think that Scambier's solution would be a better solution then we have now. While its nice to have a list of instances Elk can autofill to, I don't think it would help the end user a lot unless they are part of one of the bigger instances on the fediverse.

[scambier]

Counter-point to my own post: out of curiosity, I just checked the list of applications registered on my unused, single-user instance.
Out of the 15 items, there are at least 8 that I didn't register myself, and they were all registered... before elk.zone. Some of them even 2 or 3 days after the instance went live in November.

So, while having a ready list of instances probably makes things easier to get the url, it looks like any competent actor wouldn't need it to get the url of your "private" instance from somewhere else.