MastoWoT: A Web-of-Trust inspired defederation station

This tool is intended for Mastodon instance administrators

You can still play around with it even if you aren't a server admin, but don't complain to me that you can't figure out how to import the lists :)

This tool is designed to suggest a blocklist that you may want to configure on your Mastodon instance. The goal is to create a system simpler than scrolling #FediBlock, more proactive than relying entirely on user reports, and more federated than distributing blocklists from a central authority.

To start, enter your instance's domain (no 'https://', no page, just the domain) into the box above the synchronize button on the right side menu, and click "Synchronize". This will make two calls to your server's API to fetch the known peers and the block list. This WILL require that your instance is configured to share this information. This can be configured in your instance settings, under Site Settings, enable 'publish list of discovered servers' and 'enable profile directory'. Also set "show domain blocks" and "show rationale" as "to everyone".

Once you synchronize, any domains you have already blocked will appear under Untrusted Hosts. All other known peers will appear under Known Hosts. Now, you need to find some hosts you trust in the Known Hosts list and move their slider to the right. The slider moves between -100 and 100, and once you select a value it will update in the text box (you can also enter a value into the box directly). This should represent how much you "trust" this server, with -100 meaning you think this server is "evil" and 100 meaning it is to be trusted entirely (at least for the purposes of generating a blocklist). As you set values, these hosts will move to Trusted Hosts or Untrusted Hosts accordingly. I do NOT recommend trying to set a value for every single instance in the list. Search the page for instances that you are already familiar with instead.

Once you have added a few trusted instances, click "Process" from the right side menu. This will fetch the block list from each instance on your trusted list. A host that appears on any of these blocklists will receive a negative trust value equal to the trust value of the hosts that have blocked it, multiplied by the appropriate multiplier values (configured in the side menu), averaged by dividing it by the total number of hosts in the list.

Finally, you can use the "Export for Mastodon" button from the side menu to export a blocklist as a CSV file, which you can then import into your instance using the script provided below. This export will be generated based on the Thresholds values set on the right side menu. Any hosts with a trust value equal to or below the suspend threshold will be suspended; any remaining hosts with a trust value equal to or below the limit thershold will be limited.

Also please be aware that some instances may choose to obfuscate certain URLs from their block list. Please don't do that. This tool cannot work with obfuscated URLs.

The remaining options are mentioned below:

• Hide Impotents: Tries to fetch a blocklist from all hosts in the list. If no blocklist can be downloaded, the host will be hidden (They will NOT be removed from the list, only hidden from display.) There is no point adding one of these hosts to your trusted list if they do not provide a their block list.
• Hide Subdomains: Hides any instances from the list which are subdomains of another entry in the list. Blocking the parent domain blocks all subdomains, so you may not always need to handle each subdomain separately.
• Find Enemies of Enemies: Creates a new list of hosts that are blocked by the hosts on your untrusted list. The hosts on this list will NOT be considered trusted or untrusted until you click the 'add' button to move them into the main list with the given trust value.
• Find Associates of Enemies: Creates a new list of hosts that are in the directory of the hosts in your untrusted list. Trust values will be based on both the trust value of the untrusted host and the number of accounts in its directory that are hosted at the this instance. (This will take a while to process.)
• Find Associates of Friends: Creates a new list of hosts that are in the directory of the hosts in your trusted list. Trust values will be based on both the trust value of the trusted host and the number of accounts in its directory that are hosted at the this instance. (This will take a while to process.)
• Load from cache: Load instances list from the browser cache
• Save to cache: Save instances list to your browser cache
• Export to you: Show the instances list as a JSON string
• Import from you: Import a JSON string exported previously

---

# IMPORT SCRIPT
# I realize Mastodon already has an import function, but as far as I can tell, that
#   does not allow you to include the comments. This script will.

# This script assumes the export file is available in the current directory 
#   and named 'mastowot.csv'

# This should be your mastodon API token with admin access
# (Generate from your admin user's development menu. Requires admin;write permissions)
ADMIN_ACCESS_TOKEN=""
# And your instance hostname of course
MASTODON_HOST="https://"

ts="`date +%Y%m%d-%H:%M:%S`"
awk -v RS='"\n' \
    -v FS="," \
    -v authtoken="$ADMIN_ACCESS_TOKEN" \
    -v tgthost="$MASTODON_HOST" \
    -v timestamp="$ts" \
'{
    system("curl -X POST -H \"Authorization: Bearer "authtoken"\" \
              -F \"domain="$1"\" -F \"private_comment=Updated by MastoWoT "timestamp"\" \
              -F \"public_comment="$2"\" \
              "tgthost"/api/v1/admin/domain_blocks");
}' mastowot.csv

---

TODO:
  Styling:
    Color chooser, high contrast mode
    Maybe make the UI not look like....this.
  Determine if blocked hosts have/had direct associations, and when?
    (ie, see if they blocked this person or if they got the block from elsewhere)
  Explain how this shit works a little better, maybe a video?
    (Maybe a *good* video...)

[ Ultimately I do think this would make more sense as a shell script run via cron job...but I think this is a better way to display the concept, so that version is part two :) ]

FYI, this site runs entirely on your machine and should not send ANY of your data to my server. This page is made of three files -- mastowot.html, mastowot.js, and mastowot.css. You can download all three and run them from your local system, no server required. You can copy them to your own server to share. They are licensed under the GPL v3, and about 1000 lines of code last I checked if you want to review it.