Avatar
cloud fodder 1y ago

Fellow strudelers, I decided that since I've been using nostrudel.ninja more and more, to audit the code for signature verification (as I have done previously with ALL clients I use, and even some that I don't use).

I found that It does have signature verification, however, it is turned off by default. I highly recommend changing the setting under performance, and as far as I can tell, it's still very fast. In fact, I can't even tell the difference in speed.

Signature verification is the backbone of nostr. It is tempting for clients to turn it off and so it's good to check that this is not skipped on purpose or on accident. nostr:npub1ye5ptcxfyyxl5vjvdjar2ua3f0hynkjzpx552mu5snj3qmx5pzjscpknpr may be able to chime in on why it's off by default.

As you can see in the code here, the signature check is skipped if the application setting is unset.

Settings page to turn it on is under "performance" here:

Once turned on, you will see a green check box on each message. That means it's been verified.

Enjoy!

Reply to this note

Please Login to reply.

Discussion

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

now i see what the green check means, thanks

Avatar
mutatrum 1y ago

That description is misleading, it's not show, it's disable.

Avatar
Leo Wandersleb 1y ago

Oh fuck, why? Now I'm paranoid about all kind of things. So nostr:npub1ye5ptcxfyyxl5vjvdjar2ua3f0hynkjzpx552mu5snj3qmx5pzjscpknpr's NoStrudel does not check my follows list's signature? Please tell me this is not true!

Why would it matter? Say I use 12 relays. One of them is compromised. Now that relay can serve my client a modified follows list with a newer date than the others and my client will use this over the others. Next time I add a follow, my nsecBunker or whatever secure way of using my keys will even sign off on the modified list. And before I know what's going on I'm zapping a hacker or get scammed by impersonators.

nostr:nevent1qvzqqqqqqypzqlxr9zsgmke2lhuln0nhhml5eq6gnluhjuscyltz3f2z7v4zglqwqqsxpszhf6r3jk7f3swjjvkykty0q9pp4zp4naymjukmv5j2c50vsdgu0md2u

Avatar
hzrd149 1y ago

The current version of noStrudel does not verify any event signatures. the option "Show signature verification" only verifies the signatures after the fact and shows a the result on the post.

This is something that was left over from about 6 months ago when I was building noStrudel to be my personal nostr reading client and I've honestly forgotten about it until recently.

The reason I initially didn't have it verifying signatures was I wanted to see everything returned from a relay and see if I could find relays that where returning invalid events. unfortunately I didn't find any bad actors and so I forgot about signature verification being off

The next.nostrudel.ninja version of the app does verify signatures but its also got some timeline loading bugs I'm working out. also as you would expect its about 20% slower due to the computation needed to verify signatures.

However this gave me a few ideas to explore.

I'm planning on adding an option to use WASM to verify signatures using "nostr-wasm" and the option to option to keep signature verification off in the case where you trust the relays your connecting to

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

> unfortunately I didn't find any bad actors and so I forgot about signature verification being off

🤣

Avatar
cloud fodder 1y ago

Thank you for the reply! I was just re-combing the code and came to this conclusion as well. Good to know I'm not crazy. I also noticed that your yarn.lock has two versions of nostr-tools, just something I noticed.

Perhaps verifying metadata (kind0s) and other select events is a good start that could go easier on perf. Followed by 10002 and 3. I know that damus still doesn't verify sigs either except for metadata.. this would be the #1 attack vector for malicious zap harvesting. And spoofing follows or relay lists could also be fairly nefarious.

Having to trust relays is a centralizing force for nostr and having major clients skip the verification, makes the outbox model un-reachable and clients wary of supporting the relay ecosystem at large.

Avatar
hzrd149 1y ago

Just pushed an update to next.nostrudel.ninja to add an option to use nostr-wasm to verify events. its faster than built-in method from nostr-tools

Also thanks to nostr:npub10npj3gydmv40m70ehemmal6vsdyfl7tewgvz043g54p0x23y0s8qzztl5h for looking over the code and reminding me that noStrudel was not verifying event signatures

nostr:nevent1qvzqqqqqqypzqlxr9zsgmke2lhuln0nhhml5eq6gnluhjuscyltz3f2z7v4zglqwqqsxpszhf6r3jk7f3swjjvkykty0q9pp4zp4naymjukmv5j2c50vsdgu0md2u

nostr:nevent1qvzqqqqqqypzqfngzhsvjggdlgeycm96x4emzjlwf8dyyzdfg4hefp89zpkdgz99qqsx5cypexnczqh6hs4phmpflamtt9aulzmsclhwlegva2qa0wv7ftchh3he9

Changes are in this commit

https://github.com/hzrd149/nostrudel/commit/958a8506f465c5bc13d95a93fba006ec5fc758d5

Avatar
cloud fodder 1y ago

Strudeler update:

Confirmed that signature checks are skipped for all events. The setting I described only verifies notes after the fact, not metadata, follows or relay lists.

Hzrd says he's working on it in the next version.

Zap him some sats of encouragement. It's a great client, but keep in mind it's very fast right now because it's skipping verification.

nostr:nevent1qqsxpszhf6r3jk7f3swjjvkykty0q9pp4zp4naymjukmv5j2c50vsdgpz3mhxue69uhhyetvv9ujuerpd46hxtnfdupzqlxr9zsgmke2lhuln0nhhml5eq6gnluhjuscyltz3f2z7v4zglqwqvzqqqqqqyh0zfuk

Avatar
Noshole 1y ago

🥱😴💤💤💤

Ok. More puppies.

Avatar
Ryan 1y ago

Avatar
Noshole 1y ago

THANK you

Avatar
cloud fodder 1y ago

#pupstr 💤💤💤 🫠

Avatar
Noshole 1y ago

Awwwwwwwwwwww