Replying to Avatar hzrd149

What security risk though? If your using a specific feature thats already enough info to let a would be attacker know what client your using
Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

this is the same idiot security by obscurity nonsense that unfortunately prevails among nostr devs

you can fingerprint events to a client codebase, EASILY

just like you can easily analyse a series of REQ filters from one IP address to establish the npub of the user, and, to add to this, now we point out also thet client can also be fairly confidently determined

this is why auth should not be considered a privacy vulnerability, and why client fingerprinting should not be considered a privacy vulnerability

bullshit on both counts, and i just had to point that out because this thing about auth and privacy has stopped clients from building adequate CHANNEL CONSTRAINED privacy protections for DMs and thus have made DMS virtually fucking useless

Reply to this note

Please Login to reply.

Discussion

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

also talk to the admin of nostr.wine about the problem of how irritating it is to not have working DMs because they are a very nice CLI route for paid relays (which also need to have auth, really, to work)

Avatar
Vitor Pamplona 1y ago

It's not security by obscurity. It's basic privacy. There is no point in providing additional information to attackers when you can avoid it.

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

it obstructs usability if my client can't find my sent messages

it obstructs the marketplace in services that funnel consumer choices towards nostr that help fund development if you DON'T PRIORITIZE WHAT PEOPLE NEED ie DMs

it is an illusion of privacy when you "hide" information that obstructs developers work when the most elementary of heuristics can establish the same facts as a client tag provides, that actually helps the developers of the clients

anyway, carry on, just know that if you are so sure about being right about this with teh influence you have maybe you should consider that the negative consequences may be partially attributable to your idiot attitude

Avatar
Vitor Pamplona 1y ago

The `client` tag has nothing to do with your client's inability to find your DMs. I don't understand where this is coming from.

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

paid relays and DMs are the two big blindspots, of course you can't see it

Avatar
Vitor Pamplona 1y ago

My client doesn't have any issues with paid relays and DMs...

Avatar
ChipTuner 1y ago

> It's not security by obscurity. It's basic privacy.

Two things can be true at the same time.

I don't think anyone should be sending client tags. My signer is configured to strips tags including the Client tag for this reason. Just privacy, no one needs to know the client I'm using. That said, it's also by definition security by obscurity if you think hiding the client someone's using with the intent to "protect" the user