I totally get devs struggle with DMs but maybe they dont realize the impact of ignoring it for so long.. it hurts the nostr economy. If their businesses depended on using nostr for communication, they would fix it right away with nip17. I struggle to communicate and payments too, much of the reason is these DMs dont make it to the intended recipient while simultaneously leaking data. loss loss.
wall of shame nip04: damus, primal, nostrudel, nos social.
today i learned it's because they don't really understand cryptography or signals intelligence at all
it's a teachable moment, recognising this, i hope y'alls who are less abrasive than me will understand what i'm saying, they don't understand the cryptography or the signals intelligence aspects of it
that is,
they don't even realise there is no such thing as a cleartext attack on any brand of AES encryption
they haven't even thought about the idea of app specific configuration data being separately encrypted with a second key or password
the one that threw this in my face and made me realise, literally his app publishes your app configuration in the clear
Death to nostr DMs. Wish they’d get rid of them entirely.
ok glowie
Glad you're not in charge :D
🤷♂️ DMs on nostr are a mess, not implemented well and/or fragmented implementations, some of which are not completely private. And then what happens if your private key is compromised and you have sensitive info in your DMs? Can’t delete those events reliably because anyone can keep a backup of them, and you can’t rotate them to a new key. DMs on nostr are a disaster waiting to become an even worse disaster. Don’t use them.
While I don't disagree, DMs are an issue, it's important to keep in mind that's not a Nostr problem per se - That's a client implementation problem.
As much as x or y aren't a problem of Linux, they're a problem of their respective distributions - This to say, fragmentation is to be expected.
DMs are only a problem if we keep using and recommending the clients that do NOT keep up with the best standards - And it's up to users who are AWARE of this to make others aware.
For me, DMs stopped being a problem as soon as I switched from NIP-04 clients - I told everyone I'd onboarded - Most agreed and migrated as well (again, no real effort because Nostr 🤘), some understood but keep using said applications but not relying on their DM implementations.
Clients, and by extension their developers, are the ones at a loss.
The quicker we can all come to terms on this, the quicker we can make Nostr better for pretty much every form of medium out there, be it your Twitters, your Youtubes or your Telegrams. It can do it all, but we as users of this open protocol need to push and steer things in the right direction.
No, the issue IS nostr not being suitable for DMs. It’s not just a client implementation problem. Anyone can keep a backup of all your DM events. If they ever get access to your key then they can read them.
No.
Nostr is a protocol, which can be used for real-time communication, much like many TCP/IP protocols, most of which have no inherent security features, much less encryption. Encryption protocols tend to be session wrappers, rather than part of the protocol itself.
To say Nostr isn't suitable for DMs is like saying UDP isn't suitable for DMs.
Well shit, if only it weren't its job.
I understand your frustration, but having read around it seems you use two clients primarily - Primal and Nostur, both of which to my knowledge do not support NIP-44, and are still stuck on legacy NIP-04, which yeah, sucks.
If these are the applications you use and recommend, I can assure you that when it comes to DMs you're going to have a very poor experience.
Primal for instance is one of the go-to apps for onbaording new users - And they're being onboarded with legacy DMs - The issue here is NOT the DMs, the issue here is a lack of urgency by the developers to keep up with improving standards, all the while both their user's privacy and experience suffer.
To that effect, perhaps it would be best that they cut out DMs from their clients entirely, so you could have a more streamlined experience, but suggesting Nostr isn't suitable for DMs is short-sighted at best.
businesses need the email equivalent for nostr. DMs existing makes them that. i feel like i must use them, because i dont want to ask for email addresses. >50% of the time it falls back to nip04 because really huge clients stalled on nip17.
anyway, funny i chose to rant about this today its like beating a ded horse, just saw jerkey guy and was like, burn notice! 🔥😁
Won’t find me using them for anything important.
Main reason I run my own web server and email for business purposes, because I can at least control the mail server channels and deliverability.
No online communications are inherently secure anyway.
I think over time, users who both see the potential for Nostr communications, but also care about privacy and security, will migrate to clients that do keep up with the best NIPs/other standards.
Lack of NIP-44 DMs is exactly why I've never really touched Primal and cannot recommend it, or the others. I like noStrudel as an "overview" experience of Nostr, but see it much more as an experiment than a day-to-day client.
it's not so much about what nip-04 involves, that is just the encryption
nip-44 adds giftwrapping to it for no reason, and it uses a weird custom HMAC and chacha cipherblock function for no reason when AES was just fine actually, and DMs in nostr events DON'T NEED HMAC that's literally what ha hash (ID) and signature are... you don't even need to have a hash check on the messages, again, it's in a hashed and signed fucking data blob
i don't mind so much the use of the chacha block cipher instead of the AES (rijndael) cipher but it's all a bit much of a muchness... chacha-20 is definitely more secure than even SHA256 for cipher block streams but we are talking about 1000 years versus 5000 years it's not that big a leap
nip-65 is what concerns where DM messages are sent to, and should also take part in other private data like user state information, Application Specific Data
there is too little basic understanding of how symmetric cryptography works, and the role of ECDH in shared secrets, and some actually understand these things, double ratchet and MLS but these extra things are cake
the important things:
strong encryption :check:
sending data only to where the receiver wants it :X:
NOT MAKING IT COMPLICATED TO IMPLEMENT :utterfail:
