Replying to Avatar Ingwie Phoenix (aka. birb)

That's true. However when the "victim" is a well known big account, nip05 is often faster to read than the whole pubkey and can add as a pointer towards the impersonation. This is how I avoided a fake Snowden, Will and Pablo account - let alone that they sent me DMs, which they never would, ever. Especially Snowden. xD "ah psst yeh brah i got a secret for ya" xD

Jokes aside; npub is the final source of truth, nip05 is a secondary, good one, but behaviour is usually the fastest to spot. ^^ In my opinion, anyway.
Avatar
daniele 2y ago

Faster is not equal to safer.

To prove this, without checking, tell me which is the correct Snowden NIP-05 in this list :)

snowden@nostrplebs.com

edward.snowden@nostrplebs.com

snowden@nostr-check.com

edward.snowden@nostr-check.com

snowden@getalby.com

snowden@nostrpurple.com

edward.snowden@nostrpurple.com

edward.snowden@getalby.com

@edward-snowden.org

I agree that it is faster to *communicate* that the legitimate account is xxx@zzzz.com, but this ease of use is intrinsically risky. If I register a similar domain changing a character, I can easily pass this check and fool people. Forcing the user to complete a full npub check is boring, but really secure. The following counter list is the best trade-off: watching it, I can immediately spot if a big account has been impersonated.

if we want to keep nostr working, we also need to adapt to a new UX paradigm.

Reply to this note

Please Login to reply.

Discussion

Avatar
Ingwie Phoenix (aka. birb) 2y ago

I didn't phrase myself clearly enough, apologies! ^^;

What I ment was that most apps can show if a NIP-05 handle is actually the correct one and assigned to the pubkey you are viewing. So, showing the account as actually "verified". Heck do I know which nip5 service Snowden used - I *think* he used nostr-check? x) I don't know if he even has his own domain...

Still, your second half stands true. Let's say Snowden doesn't have a domain - having a valid nip5 of _@edward-snowden.me would still result in a check and a "verified" account, although it is not. So yeah, in this case, comparing the npub to the one on his Twitter (is it even still there?) would be the ultimative truth. Honestly, I hadn't thought this far, I admit that... I would've gotten got by a checkmark. Stupid, I know... ^^;

Avatar
daniele 2y ago

No need to apologize, we are all brainstorming tougher and learning how to manage this new paradigm :)

I grasped your idea, the fact is that rarely you can precisely know the "correct" nip-05 address in advance, so at the end it's easily spoofable.

Avatar
NostrServiceBot 2y ago

Providing yourname@nostrich.house NIP-05 addresses. But I am a bot. DM me to know more 😁 https://nostrich.house #nip05

Avatar
Serviceline 2y ago

Nip5 ist not an authentification of real world persons. It's an alias for hex32. Our #nip5 service is anonymous, reliable and affordable. No account in fiat world necessary, order in the Nostr, zap the bot. #bitcoin #nostr https://nostrich.house #NIP-05

Avatar
SMS 2y ago

Relax, your certificate renewal is manual, but lack access to certain requirements, like a computer from this decade