Nostr Web Client

As I understand it, Amboss is only contacted by my node to get the preimage when it sees that the next hop it is supposed to forward a payment to is not a real node at all. Since all other transactions routed through my node will presumably involve real nodes that I have channels open to, my node will not reach out to Amboss for any other transactions it routes.

Of course, since Thunderhub is open source, you can go audit the ~40 lines of code they added to implement the service on the node's side of things: https://github.com/apotdevin/thunderhub/compare/v0.13.27...v0.13.28

If my understanding is correct, then they will be able to see the payments your node that are routed using your ghost address, but nothing else. Which would mean that it's still a massive improvement over using custodial Lightning, where ALL of your transaction information is exposed to the custodian, and they hold your keys, so they can rug you at any time. By contrast, Amboss only sees those payments I receive through the ghost address, NONE of my outgoing transactions, and most importantly does not hold my keys.

Reply to this note

Please Login to reply.

Discussion

Amboss 2y ago

It's even more private and specific than what you described. Thunderhub will only contact Amboss when it sees a specific, hardcoded channel ID as the next hop.

So even though the destination pubkey is different for each ghost invoice, Thunderhub can be surgical about when to request the preimage to intercept a forwarded payment.