Nostr Web Client

Replying to

PABLOF7z

wow, what clients discourage people from using other clients??

yeah, we still have a lot of work to do.

Just saying "fuck it, I'll hardcode my relay" is too attractive (which is largely why I started working on ndk)

What are the malicious relays you mention? 🤔

jb55 2y ago

Im guessing he’s sub-posting me because Ive said this in the past. I have to deal with hundreds of complaints about other clients nuking contact lists. So I have said “if you use another client it may corrupt your contact list”.

Once damus is better at defending against other clients breaking stuff in damus then I wouldn’t have to say this. But it would require some decent amount of code to detect large changes in followers, etc. I’ll do it eventually but it’s a lot of work.

I have already seen malicious relays (but more likely just buggy relays) that will return results that don’t match your filters. In the outbox model you’re giving control of what relays you connect to other people. Until my client is hardened I don’t feel comfortable doing that. But the local relay model I’m working on fixes a lot of these concerns, so I’ll finally be able to switch to outbox once thats done.

Reply to this note

Please Login to reply.

Discussion

PABLOF7z 2y ago

this is good and necessary imo; clients need to be hardened against malicious relays

yes, outbox makes this slightly worse, but if a user manually connects to a malicious relay that buffer-overflows the client and leaks the nsec or something like that it'd be equally bad whether the connection to the relay started automatically or manually

great to see damus is moving in this direction

btw, don't know if you saw it, but nostur does this where it keeps a local copy of the contact list and if a "large" change is detected it prompts you to republish your old state

jb55 2y ago

Yes nostur is doing the right thing here, a lot of this stuff is easier with a local database which is why he was smart to start with that. I’m playing catchup… and decided to write my own db from scratch for some reason 😅 but I think the results will be worth it

PABLOF7z 2y ago

yeah, pretty sure the results of nostrdb will be massive and very much worth the investment

elsat 2y ago

https://github.com/damus-io/damus/issues/1855

In addition to contact lists, there are issues with third party clients breaking relays.

verbiricha 2y ago

NIP-65 is almost a year old at this point. kind 3 relays was never part of the spec, is a "crappy legacy from branle".

https://void.cat/d/PmDYJppUMPGLPAZVW8RmxS.webp

ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 2y ago

it'll take some doing to fix this problem, it would help if we could establish which clients are doing what events that make these changes

Tico 🇨🇷 2y ago

So, as users, not only we must learn how to practice safe "nsec", but where to safely "relay" too... 😂

(Pun yourself 😛)

Andrew 2y ago

> In the outbox model you’re giving control of what relays you connect to other people. Until my client is hardened I don’t feel comfortable doing that.

As far as i understand it, it only tells your client what relays to fetch another users posts from, you’re not adding those relays as a permanent part of your own relay list. So what would be the dangers?

PABLOF7z 2y ago

You need to connect to fetch the notes, so yeah, you need to not be vulnerable to a relay giving you a payload that would compromise your client.

That said, you would still need to not be vulnerable to a malicious payload even if the user manually enters the relay URL

Josua Schmid 2y ago

Thank you for clarifying. We all know you take this seriously.