I do wonder how Jumble.social stacks up in this list nostr:npub1syjmjy0dp62dhccq3g97fr87tngvpvzey08llyt6ul58m2zqpzps9wf6wl
Research: Not in The Prophecies: Practical Attacks on Nostr, Kimura et al. Cryptology Archive, 2025/1459
Summary of attacks against Nostr clients nostr:nprofile1qy2hwumn8ghj7etyv4hzumn0wd68ytnvv9hxgqgdwaehxw309ahx7uewd3hkcqpq8m76awca3y37hkvuneavuw6pjj4525fw90necxmadrvjg0sdy6qsmthtls nostr:nprofile1qy88wumn8ghj7mn0wvhxcmmv9uq3qamnwvaz7tmwdaehgu3wd4hk6tcqyz4fq3ej2cpa4n20s9pqjdt8ju6kdh3mrcs2392hku5v80jvd2zyk8p4hdy
nostr:nprofile1qyghwumn8ghj7cngv9nk7uewdaexwtcpp4mhxue69uhkyunz9e5k7tcqyp6demp3l5acelvkp0z6xhkta6utnnhgawqld6x6fjqxw4fhpyjg672r3ys nostr:nprofile1qyjhwumn8ghj7ctzvdjx2en8xgcrydpsxycrgv3sx56rqvpw0puh5tmkxyhhwucpzemhxue69uhkzarvv9ejumn0wd68ytnvv9hxgqpqsctag667a7np6p6ety2up94pnwwxhd2ep8n8afr2gtr47cwd4ewskd5u3m nostr:nprofile1qyxhwumn8ghj7mn0wvhxcmmvqydhwumn8ghj7mn0wd68yttsw43zuum9d45hxmmv9ejx2asqyq87pvvtfklsuz4yplx5wgym9fymxsclc3fmgc80eazu5z73d0t2cdf8lut
Damus seems to be affected by most attacks. Amethyst and Iris the least.
Discussion
I skimmed through the report.
- Jumble generally shows users’ NIP-05 and supports WoT filtering, which helps reduce the risk of pubkey impersonation.
- Jumble uses nostr-tools and verifies the signature of every event.
The other security issues mostly relate to DMs, and Jumble doesn’t have DMs.