Where do these people get the idea from that Nostr is federated?
Nostr was mentioned on my favorite cryptography podcast today, Security, Cryptography, Whatever — they didn't spend a lot of time on it, but here are some highlights:
> It’s federated and it’s European. I bet it sucks.
> It’s some Ayahuasca inspired initiative from. From Messrs. Dorsey et al.
> Yeah, sure, it’s decentralized and federated, but like their proposal for encrypted end to end encrypted DMs was just bad by itself.
> When I reviewed this, my description of this was it looks almost exactly like Nebuchadnezzar [https://nebuchadnezzar-megolm.github.io/], which is like a fractal of things that could have gone wrong with like a complete ecosystem of like a secure messaging system. They found flaws in almost every component of that system and then tried to leverage them as far as they could.
You can read/listen here: https://securitycryptographywhatever.com/2025/07/29/vegas-baby/
They also mentioned a talk that's going to be delivered at blackhat on August 9th which sounds super interesting:
> In this session, we unveil the first comprehensive security study of Nostr and its popular client applications, demonstrating how subtle flaws in cryptographic design, event verification, and link previews allow an attacker to forge "encrypted" direct messages (DMs), impersonate user profiles, and even leak the confidential message from "encrypted" DMs.
Here's the link to the agenda entry for the talk: https://www.blackhat.com/us-25/briefings/schedule/#not-sealed-practical-attacks-on-nostr-a-decentralized-censorship-resistant-protocol-45726
I'm looking forward to learning how we've screwed up — there aren't a lot of cryptographers here, and I know that open protocols make security even harder to maintain. Maybe we've screwed up irretrievably, but I'd rather know now than later.
Discussion
It's just the default decentralized architecture. In a sense, relays are federated. The distinctions get lost on people not thinking deeply about it though.
The wiki-page uses a rather broad and vague definition:
"A federation is a group of computing or network providers agreeing upon standards of operation in a collective fashion. "
Still, even then, i would object, the whole notion of federation is mostly Server Oriented Architecture related. Saying that because relays all share the understanding of same set of simple queries makes them federated is too much of a stretch. It might just be straight up incorrect if we start to wonder if relays are even ''a group of computing or network providers''. They don't do any compute, and they don't provide access to a network, they just provide access to data; the only logic going on in a relay is read/write access control.
It is kinda the whole point of Nostr, so I am easily agitated when i see indications of misunderstanding.
I have a similar gripe with the use of ''p2p'' in Bitcoin. People, on-chain bitcoin transactions are NOT peer to peer; miners are not your peers, they are intermediators. Now they are trust minimized and that so happens the be where the whole crux of this Bitcoin system resides; but if one says:
''Yeah well that is what i mean when i tell people Bitcoin has no intermediaries'', then i can't be sure if that is indeed what you mean, or that you missed the whole point all together and actually have all kinds of silly beliefs like that replace by fee is evil or that Nostr relies on federation.