Nostr Web Client

Here's Thomas, causing me to notice Damus doesn't check signatures about 6 months before this other security team. Will's fix was just to add a dialog that says don't connect to relays that you don't "trust" and Jack said "Everything comes down to trade offs. Important that it is ultimately verifiable, and that if you require it you could use another client (if the option doesn’t exist to turn it on/off)."

https://nostr.band/note1jz0hgxlhlazxx3nqj06zex5q2eerprtrgssf9whjzx7ps2ufx4dstvl46p

Then here's Vitor fixing the same problem for amethyst same day.

https://nostr.band/note1dnej4y7zu5tgq7kryrq25dmr88lmhzdt0s4vk4gte0ppm0a672asj47g7e

Anyway, just sayin' .. told ya. Nostr without signatures is an abomination, I don't care how slow it is.

https://crypto-sec-n.github.io/#disclosure

Reply to this note

Please Login to reply.

Discussion

The Fishcake (nostr.build) 5mo ago

Using expensive and non hardware optimized signature verification on mobile devices is a recipe for disaster. I understand the concern, but you have to make choices based on capabilities.

cloud fodder 5mo ago

well, the choice led to being shamed by the blackhats for it, oh well. add "nostr is insecure" to the checklist of fuds 🤙

The Fishcake (nostr.build) 5mo ago

Public social media protocol is insecure, is sort of an oxymoron, if you ask me. 🤣

cloud fodder 5mo ago

it's kinda the whole point of nostr, and of PGP sigs in email.. but, if you really like impersonator spam yes it's a huge industry enabled by .. not having sigs.

sorry grandma, that wasn't actually your daughter needing money and stuff 🚑sad.

The Fishcake🐶🐾 & 763 others 5mo ago

Yes, but how will your grandma remember which npub is the correct one? Also, why would grandma rely on a public forum to verify her daughter?

ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 5mo ago

you have to find the most efficient signature verification algorithm.

and you really have to construct the canonical form and check the provided ID is correct. this is one of the problems with putting the ID on the wire, it becomes easier to forget.

sorry, but there is no way around this. you can't trust rando relays to do it. even if they do, you can't trust all of them to do it.

for mobile devices, checking an secp256k1 siganature on a sha256 hash of an event is not impossible, and anyway there is now fast libraries for both android and iOS. even, on android devices, you can make a little binary tool that runs to do the job. on iOS, the swift code IS binary so it's just a matter of having the actual function available.

cloud fodder 5mo ago

the ID thing, yeah, very interesting.. I don't pretend to be a cryptographer but.. I know that no checks is no bueno. Glad you have thought of all this in orly. 🫡

ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 5mo ago

yeah, this is why i tried to make all of the json codec as fast as possible, it's one of the most expensive operations in the stack

Leo Wandersleb 5mo ago

I was under the assumption to interact with signed content and while I see a performance challenge, not checking the signatures at all cannot be the solution. I'd be fine with a background thread checking signatures, especially of not explicitly trusted relays. So if I explicitly trust relay.x to check signatures, the client could check events from relay.y for either having come from relay.x, too or in a deferred manner check signatures and if any invalid signature is found, flag the relay as bad mark events from it as not checked until they are checked.