Nostr Web Client

All these points were considered in the architecture of our implementation. It is evident you spent <5mins checking out the site. Else you would see the issues highlighted above are accounted for.

1. the Flow Chart that is highlighted in the How It Works section of our Buy page: users are encouraged to set up a Dedicated Device prior to Virtual Private Node purchase. *We envision users to setup device level VPN and use email alias for purchase.

2. This implementation is literally run on a VPS... We never have root access to the server, that information is emailed directly from VPS provider to ripsline user's email provided at checkout. Even so, they cannot access the VPS until root password is changed. We merely provision the VPS for end user, they maintain VPS credentials always.

3. You can check custom installer for malicious LND software as the script is FOSS viewable here: https://github.com/ripsline/Virtual-Private-Node

4. The last two points do not make sense because we never have any information other than user's email and domain name (can use fake domain name which is also highlighted on the site).

Daedalus 0mo ago 💬 2

Yes I spent less than 5 minutes I spent about 1 minute reviewing your page. So you charge $360 a year to provision a VPS for a client, run your open source script, then give the user SSH credentials for the VPS? Is that correct? If so would the user not be better off avoiding the email and middle man all-together and provision their own VPS and run the script themselves? The users adding an identifier in the email and trusting you not to run a modified script at time of install, is that not correct?

What you describe is more private than what I originally surmised, but still leaves deanonymizing attack vectors open or am I wrong?

Reply to this note

Please Login to reply.

Discussion

ripsline 0mo ago

We purchase the Virtual Private Server at cost for 1 year (~$200). The email provided to us at checkout is used so only you have access to your VPS client portal. After 1 year, you will have to pay the VPS provider ~$200 for the second year and so on.

When you purchase through us, we provide ongoing support and a custom script that makes the installation process easier. In the order credentials file, we encourage users to not trust us but to review the script before they run it themselves... they can even paste it into chatgpt to check for malware.

We never provide SSH credentials to the user, the VPS provider emails those directly to ripsline user.

Users are encouraged to provision their own VPS and run the script themselves. Users who know the value of their time will quickly see that our one-time setup fee, which includes ongoing support, is a far better investment than spending their time figuring it out on their own.

There are no deanonymizing attack vectors if user checkouts with email alias, VPN, and fake domain name. All highlighted on our site: https://ripsline.com

Daedalus 0mo ago 💬 1

The email alias and VPN become the de-anonymizing attack vectors since they are the weak links in the chain and are accessible through government subpoena but for most are acceptable tradeoffs for the service you're offering. I think you're doing a good service.

ripsline 0mo ago

Daedalus, you are attacking our business model by saying that VPNs and email alias' are attack vectors. I appreciate your kind words and happy to answer your questions. However, you are creating FUD on our business due to concerns with VPNs? Common.

I also don't understand your point. We can see the IP address (just like every website in the world) of our users. And we know the email used to sign up so we can send order details and support users.

If a government subpoena's us, how would a user be deanonymized? The government would see an IP address that is not theirs and an email hopefully not tied to their personal identity.