Nostr Web Client

So basic introduction for anyone interested: I am a gray hat hacker and cybersecurity awareness activist who likes to stir up privacy-centered networks. I have probably met some of you before.

I actually came here looking for a challenge. I've been lurking around here in some form or another for about 4 months now, playing with different clients and tools, even running my own testnet (3 stirfry relays on a VLAN). Mostly I have been focused on the community and how people use different clients. I've been playing with some good open source tools and getting an understanding of how to interact with relays.

Personally I'm not all that into Bitcoin, but I do have a whole BTC in cold storage so I guess I've got that going for me. This whole lightning thing is new to me, I don't really ever spend Bitcoin, and my actual business makes me plenty of fiat.

So far I am impressed with the community. A little too wild-west in some areas since there's hardly any moderation tools, and the community isn't quite interested in the same things that I am, but I do see a lot of advocacy for privacy and digital freedom, and I like that.

But the whole system here is, regrettably, broken. The promises made about Nostr don't live up to reality. A network like this has the potential to become so much more, but there is a lot to lose if it is done wrong.

I intend to help expose these problems. Expect me here for a while. There are a lot of vectors for attack, and I plan to give them all visibility.

Nostr devs, please pay attention. With no centralized network development, all of you are responsible for fixing these issues.

Reply to this note

Please Login to reply.

Discussion

greenart7c3 1y ago

nostr:nevent1qqszwc5cc5a29xzthqcsmxys0zg6fwr2njx0l5zejmxtj9w87pyc7uqpz4mhxue69uhhyetvv9ujumt0wd68ytnsw43qygrsx5eu9st2cam3a7cmmas2sh0hfep0ssy6qpuspaqzhfrgf7v3sspsgqqqqqqs3j5uh0

elsat 1y ago 💬 2

Thanks for bringing privacy to the forefront. Few read the respective nostr github project documentation on privacy. Your method of exposing privacy on base nostr protocol has been effective.

> hardly any moderation tools

Despite this, the discourse is more civil than that of twtr. Maybe it’s a function of nostr’s tiny size, and lack of algos.

nostr:npub1wmr34t36fy03m8hvgl96zl3znndyzyaqhwmwdtshwmtkg03fetaqhjg240 and nos social are as far as I’m aware thinking and developing most on moderation tools.

I don’t know how far they’ve gotten - that said one of the benefits of nostr is you don’t have a mandatory moderation curator in a WEF stooge. You can have a feature where you choose your own moderator - for instance you can choose Jack.

nostr:npub1g53mukxnjkcmr94fhryzkqutdz2ukq4ks0gvy5af25rgmwsl4ngq43drvk implemented web of trust network hops filter more than half a year ago on Iris messenger.

> no centralized development

Yes, this is a feature. Otherwise we’ll get another closed big tech gulag.

You are more than welcome to submit PRs to Damus, and I’m sure many others will happily review patches. Nearly all of nostr is FOSS, and lead devs welcome patches.

Example code and issues https://github.com/damus-io/damus

Ostrich McAwesome 1y ago

1) Once you have an account established and are following people it is mostly fine, but it's hard to browse the global feed without seeing strongly undesirable content such as lolicon (or worse). This is a natural consequence of being censorship-resistant, but it will scare new users away. I'm excited to see how this can be reigned in without harming the free speech of other users.

2) By "centralized development", I just mean any standard unifying practice for development. Centralizing a core Nostr codebase under GPL would keep it property of the people forever, while making sure all bugs and weaknesses are patched for everyone. Everyone doing things their own way is a recipe for disaster. Death by a thousand cuts.

3) I have never used Damus, so nothing I've uncovered is specific to them. Finding a weakness in Nostr means every affected Nostr project needs to fix it independently. Even I don't want to write that many bug tickets.

elsat 1y ago

1) Agree on the anime p*rn being an eyesore for most. Certain relays have more than others. Agree protocol allows for this, and it is the tradeoff of censorship resistance. I see onboarding as the initial part of the challenge here. Specifically on Damus, the current band-aid solution during onboarding is to have a list of suggested profiles to follow thematically separated (homesteading, parenting, media etc.). Discovery post-onboarding, and the "universe view" is the never-ending continuation of this question. Team is aiming to explore the design, and experience here soon ™️ .

Further to the **** problem, there's some work done on using opt-in sensitive image scanning on Damus. It's not complete, and not yet tested for reliability and robustness.

2) > Centralizing a core Nostr codebase under GPL would keep it property of the people forever

My understanding is nostr code is licensed (verbatim) as "public domain".

3) I got you, and appreciate effectively pointing out a single weakness thus far. I hope you continue exposing weak points. Here is a proposed solution for a single client: https://github.com/damus-io/damus/issues/1897. If you have feedback on this solution, I'd be happy to pass on to the dev team. If it's just the problem statement/issue you want to share, I am happy to put on the radar of various nostr clients by generating a bunch of issues.

Lmk if/how I can be of help.

Ostrich McAwesome 1y ago

One fundamental flaw I see with this idea is that if you are addressing the method in which I gathered these IPs (via DM), you would have to send decrypted URLs from a users end-to-end encrypted DMs to the image proxy, which endangers privacy in a new way because it revealed part of the message to the proxy. Now you have to trust the proxy with potential secrets.

Link Previews are also a vector for attack here, and it would be even worse to send all DM'd URLs through the proxy.

I also worry that image proxies could bloat the cost of running a client, are a form of centralization (this solution only benefits Damus users), and are a vector for DDoS/Abuse.

Mike Dilger ☑️ 1y ago

Gossip client doesn't even have a way to see global relay posts. Apparently I missed out on shower girl, 🍆-pic day, and lots of other things.

Now that users can mark relays as 'spam safe' (trusted to moderate content - I should probably rename it) I may add in a global feed for those relays.

hodlbod 1y ago

Sounds great, looking forward to what you come up with. We need people like you to stress test the network, because as you say there are a lot of vectors. Be patient with us though, because devs have an incredible amount of work on our plates. This is a 30+ year project. Let's go!

Ostrich McAwesome 1y ago

I don't intend to push every button at once. For right now it's easy IP leaks. That needs to be resolved first. I don't expect it to happen overnight.

This place can mature into a universal standard if we work out all the kinks.

Mike Dilger ☑️ 1y ago

Are you talking about IP addresses?

IP address privacy is solved. Use a VPN or use Tor... tails... or qubes. Depending on your threat model.

To do IP you need an address, and that IP address necessarily gets signalled to your IP peer. And if you don't do IP you are not on the Internet.

Nostr clients shouldn't be trying to control every protocol layer. Let the IP layer software handle the IP layer and nostr runs on top of that.

Mazin 1y ago

Every few months one of these self proclaimed hacktivists comes to point out nostr shortcomings in some malicious and uncreative way.

So far none of them that I’ve come across has actually pointed out anything useful. This doesn’t seem any different. It’s just a way for them to flex their ego and get some recognition.

Clients should at the very least have a toggle to turn off loading images from people they don’t follow (or their WoT) and many already do. Outside of that, there is nothing broken and nothing to fix.

Not sure why we give these people so much attention…

🐢 1y ago

Nostr is the first thing to teach people how the internet works since MySpace.

Ostrich McAwesome 1y ago

I'm not going to pretend that what I did wasn't trivial. It was.

But if this trick is so uncreative and unoriginal, why hasn't this attack vector been resolved yet?

If nobody has a reason to fix this, I'll give them a reason.

Mazin 1y ago

What is there to fix in the nostr protocol?

If a particular client is loading images from unknown recipients, that’s an implementation choice. If you have a problem with it or think it should be done differently, you can open an issue in their repo or write a PR and contribute to a solution. Or, of course, you can use a different client or write your own. I fail to see how this is a nostr weakness or how what you’ve done is helpful or creative.

People who are concerned about exposing their IP on the internet should use a VPN or Tor.

Skipper 1y ago

nostr:npub1sn0rtcjcf543gj4wsg7fa59s700d5ztys5ctj0g69g2x6802npjqhjjtws (and Iris) client have a default option called 'Image proxy service' which I believe solves the issue, right? nostr:npub1wq6n8skpdtrhw8hmr00kp2za7a8y97zqngq8jq85q2aydp8ejxzq8p7d9k

Ostrich McAwesome 1y ago

The real issue is inconsistency. Different clients have different ways of trying to protect you from the same features, all of which are implemented differently.

Also, using an image proxy may protect you from leaking your IP, but as I have mentioned previously, this would now mean that URLs from your end-to-end encrypted messages would be decrypted and sent to the proxy, damaging your privacy in a different way.

Ultimately, my take on Nostr web clients is that if you're using any other browser than Tor Browser, you're doing it wrong.

Pepe NOSTRos 1y ago

Sucks but gotta embrace the suck. Part of the process when growing fast. Lots of ideas being tested at once and over time we will see a normalized distribution of features centered around some broad appeal features. It'll come.

Just let the devs cook bro. We are moving faster than we have any right to have expected.

Sai 1y ago

We don’t divulge our personal holdings.

However, it’s nice to have you. Added so I can see what you get into.

🔱

JeffG 1y ago

I would love to hear more about what you think the top 2-3 things are that are broken. I get that the network is not very mature when it comes to strong privacy or moderation but are there specific things you'd call out?

Ostrich McAwesome 1y ago

Top flaws?

1) Reckless NIP implementation. Too many features with deleterious side-effects.

2) Poor privacy controls. Way too easy to leak PII.

3) Poor key management. One big exploit could compromise large numbers of accounts.

Ad for moderation, I just worry about the commonality of extreme content that will scare away new users.

Mike Dilger ☑️ 1y ago

Most people don't care about privacy. Edward Snowden and others have been trying to convince people that they should care. And events where good people suddenly become seen by society as bad people have worried a lot of us, so more people care now.... the excuse "I don't need privacy, I'm not doing anything wrong" doesn't apply to that last case. Whoever you vote for you will have enemies, and you should want protection from them.

I've already commented on IP address privacy - I don't think it should be handled in-protocol. I believe using the web stack puts both privacy and security at risk which is why the client I develop (gossip) runs on the desktop without a web stack. I've tried to include a lot of settings to allow people who care about privacy to maintain their privacy. You can disable rendering media inline automatically. You can disabling fetching of avatars, of media, of checking NIP-05, of fetching metadata. You can run in offline mode. You can include a ["client","gossip"] tag if you want, or can turn that off. You can include a user-agent string if you want, or turn that off. Oh, and your private key is stored encrypted under a password and zeroed (along with passwords) before memory is released.

I intend to give users more control over connecting to and authenticating to relays via whitelisting (slated for 0.10).

I intend to implement NIP-46 in both directions, which will help a lot with key management, especially as other nostr clients and services begin to support it.

As for moderation, gossip allows you to write a script to filter posts using any code you can dream up. We also just added code to not load posts from people you don't follow unless they are on relays you designate as 'spam safe'.

So I think we are on track, and these issues are all being addressed. But there is plenty of work to keep on doing.

youngMoney 1y ago

I'm not aware of anything broken. Show us please

Enki 1y ago

Your approach come off as being a little bit heavy-handed, but after giving it some thought I kind of appreciate what you're doing. We need privacy stress tests and unfortunately, gentle reminders don't seem to work.

We can jump up and down and scream about the importance of a VPN and basic privacy preserving techniques. But some people won't "get it" until they see some consequence like you showing how simple it was to grab a users IP.

It's actually a bit of breath of fresh air to see someone who's willing to stir up a pot a little bit in an effort to help the network grow rather than a malicious actor trying to genuinely fuck with people.

Mike Dilger ☑️ 1y ago

Glad to meet you and yes, please share what you find.

Justin_Tokyo 1y ago

Hi !

Looking forward to seeing what you have found out.

Notkeynesian 1y ago

Perhaps create a second nostr account for bot posts (e.g. the IP addresses) as they are informative but they make u individually difficult to follow.

Christopher 1y ago

Unsure about what you mean with “it’s regrettably broken”. Would love to hear more on this. Thanks to nostr:npub1san22nhe59ct8pstcehav4dtkf94lkn46ltl7d30g3zzl00tg7ussgqjdd for reposting.

The Marie ⚡️🦂 1y ago

I completely agree with certain types of ‘stress testing’, breaking things and exposing gaps but I do NOT agree with posting IP address that can potentially hurt someone. I understand that this can easily be found, however if the particular person wants to go to the effort of finding out that information. I do NOT agree that it should be posted out there for everyone to see.

Expose issues but don’t expose things that can potentially harm someone.

Trust 1y ago

The cat-in-the-box theory, whether full or empty, depends on you. The goal is 5 million, but the choice between the full or empty box is yours.

Solana.....

5uiAkvrEBRP71snvPsQC9AV1qrTGkJGyEqrPeJ3mrmNt

Late Night Blog 1y ago

*Breaks into warehouse

*Beats security guard with baseball bat

"Look at that attack vector. Good thing I exposed it or else somebody could have used it to hurt you."