Nostr Web Client

The main issue is that nip-04 leaks way too much data not only to the relay, but to the public in general. On top of that, the encryption procedures of NIP-04 are laughable. The lack of padding alone is a major problem. Imagine saying "Hi" on a DM and that gets converted to 4 encrypted chars. Besides letting everyone know your message is small, how hard is to break the encryption of a 4 char cipher text? Not that hard.

If you repeat GMs around, now you have 100s or 1000s of 4 char encrypted messages. How hard would it be to recover your shared key knowing all those little messages? Not that hard.

With enough shared keys, how hard would it be to figure out somebody's nsec? It gets in the realm of "possible" with today's available computing power.

ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

the leak to the public is because of relays not implementing auth

at minimum, they should implement auth to access DMs

if everyone's relay did this, that problem goes away

it's never a better solution to use obfuscation when you can instead simply not send out the signal

Reply to this note

Please Login to reply.

Discussion

Vitor Pamplona 1y ago

Agree. With it's not just AUTH as defined in NIP-42. It's AUTH + a p-tag filter based on the logged in user. Virtually no relay does this.

But even if it does. The relay itself SHOULD NOT be able to track anyone else but the user that connected.

ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

yeah, this is an essential feature, and nobody is prioritising it as they should be

it's like putting a big fancy padlock on a shitty wood and cardboard gate, to add all this obfuscation to the messages when you could just have auth and not send out messages that don't relate to an authed user pubkey

really, you can't solve that problem any other way

the relay is acting as an untrustworthy intermediary when it doesn't have controls to prevent strangers reading your private messages