You can’t link an ip to a physical location in most situations. I never understood the fear of ip leaking.
Discussion
I use vpn too BUT let's face it the majority of users who wouldn't bother understand what an IP is.
so...can we locate which relay is the leak from?
This leak has nothing to do with relays. Its people being clever about getting specific users to load images
LONG POST Addressing Everything
(TLDR AT THE BOTTOM)
The problem is that this is HUGE PII. Imagine that everything you post is linked to a location that is almost where you live. Like c'mon imagine being in a surveillence state. That state knows you're using Nostr, but not what you post. They can spin up a malicious relay and track the location of every poster not using a VPN. They can specifically look at Chinese or Russian IPs to target a user. It is a terrible practice in general to have your IP linked to the personal info you might post. There are plenty if cases where criminals track social media posts to social engineer you, now they have your IP to craft an easier attack.
You will see people say your IP is public info, but this is worse on Nostr for a few reasons. In most cases, only your ISP and the website will have access to your IP. Like on Twitter and Mastodon/Bluesky they will know your IP. No one knows your IP on Twitter besides Twitter and your ISP. On Mast/Blue only the server you signed up to will know your IP and your ISP.
If a malicious server leaked a bunch of IPs everyone would simply leave and defederate that server. It takes a very long time to build up your mastodon server audience and the operator would be throwing that away if they leak everyone's IP. This is mosy likely rare on any servers that host more than 500 members, but users might be effected if they use an unknown server with around 30 members. A malicious activity pub server can fully track your IP and might abuse it, but the difference is that this is not easily open to the public.
Now on Nostr, anyone can spin up a relay. You do not know if it's malicious or not. A relay can end up being extremely popular to the point where everyone has added it. This is what happened here, we all blindly trusted that this relay is honest and they ended up leaking everything. You cannot easily do this on Twitter or Mastodon because it will become extremely obvious that this person is leaking your IP.
We do not and will still likely never know which relay operator is leaking our IPs, and that is the most dangerous part. Rather than 1 or 2 providers we trust with out IP we are now trusting 12-24 relays with our personal information.
The nostr community needs to stop pretending like this isn't a gigantic issue and how this is the same for any other website.
Like any social media, Nostr isn't perfect because of the number of servers we need to trust to get it working. Mastodon and Bluesky have the problem of trusting one operator (Bluesky fixes this by letting you switch easily).
TLDR: Your IP being public on Nostr is different from most websites. You entrust 12-24 relay providers with your IP and any of them can be malicious. You are adding more and more parties to trust and it isn't easy to verify that these are all trustworthy. If you have too little relays you cannot access everyone's post. This is a BIG problem on Nostr and we need to address it and not pretend like it isn't an issue.
Nostr is a great platform and the best social media community I've ever been apart of, but I cannot in good faith tell my friends that they will be secure on this platform.
This took some time to make so if you enjoyed reading or learned something new please retweet or like so others can see ❣️
#ipleak #grownostr #coffeechain #bitcoin #gm
I've brought this up before but there is not much willingness to engage with the issue it seems. My main question was simply, if we are to abide by the "Don't Trust, Verify" motto then should we be able to verify who is providing us a relay and also a client? It's a delicate issue.
I believe that using a VPN at minimum is necessary when using nostr and to always remain aware of what the idea of a 🍯 is.
I fully agree. The problem on Nostr is that you need to trust multiple relays, like around 12-24 depending on your config. I cannot verify that every one of these guys are honest, nor can anyone else. I can verify maybe 4-5, but then I wouldn't see many posts on nostr. You only trust 2 people with your IP if you use traditional social media.
Thank you for being one of the ones who want to try and address this issue instead of ignoring it. I want everyone to use a VPN but the cost of buying one will turn a lot of people away.
nostr:npub1r7psmkr4zv93xnal8un6d8hvmpsn5jvhfzn3kk38rfcel6awznks7znspg
nostr:npub1t3ggcd843pnwcu6p4tcsesd02t5jx2aelpvusypu5hk0925nhauqjjl5g4
nostr:npub1pfmh8z085zlwmwjtq6m4hrgwuw99vjcwkpdf9dr9kmjgfg985jfqu4665m
nostr:npub1ds8fq94ec8h70m00sljstc4puq7mr7aulhp76660324yk4q2mx8sdyf93l
nostr:npub1c9d95evcdeatgy6dacats5j5mfw96jcyu79579kg9qm3jtf42xzs07sqfm
I unfortunately do not have the audience to bring attention to this post, but I've seen a lot of people not fully understanding the situation entirely. If you could critique, comment, or like this if you found this informative or learned something new, I would be very appreciative if you can repost this. If you know profiles who may also enjoy please tag them. If you do, I thank you so much for trying to bring more awareness to this issue 🙃
nostr:npub1f6ugxyxkknket3kkdgu4k0fu74vmshawermkj8d06sz6jts9t4kslazcka almost forgot about adding you to this list🥲 I like your perspecitives on privacy and security, let me know if you have anything else to add 👍
I agree with others, this is likely an image/media/link issue. I don't think nostream TS relay collects IPs, but you could easily set up your server to do so. Opening a DM with a tracked image would make this easiest to correlate, and is probably the most immediate thing to address. Or interacting with a thread with an image link that is being tracked could leak information via data correlation from the reply note time stamp. This information is leaked constantly, but that this person decided to dox people is a concern.
Being a bitcoin/nostr public figure has risks from many counterparties (governments, scammers, armed thieves). Pseudonymity is probably best practice where possible.
Check out nostr:npub1hrc008qk3rvteut0xvazc4sh5tpex4rfew75an3e3pttrglhamsqnw648j post from January 10th 2023. Depending on which client you are currently using, the blue box should be showing you your IP and browser/OS data. It is dynamic and each person will see their own data. It's not doxxing but highlights what is going on in the background.
For me it works in primal but not snort.
Yes, but it does reveal much information in several cases. I have a fixed one for one.
But in smaller countries like mine, and not being with the two large ISPs narrows your identity down a lot already
And your IP is your identity to governments BTW
