Nostr Web Client

Fellow strudelers, I decided that since I've been using nostrudel.ninja more and more, to audit the code for signature verification (as I have done previously with ALL clients I use, and even some that I don't use).

I found that It does have signature verification, however, it is turned off by default. I highly recommend changing the setting under performance, and as far as I can tell, it's still very fast. In fact, I can't even tell the difference in speed.

Signature verification is the backbone of nostr. It is tempting for clients to turn it off and so it's good to check that this is not skipped on purpose or on accident. nostr:npub1ye5ptcxfyyxl5vjvdjar2ua3f0hynkjzpx552mu5snj3qmx5pzjscpknpr may be able to chime in on why it's off by default.

As you can see in the code here, the signature check is skipped if the application setting is unset.

Settings page to turn it on is under "performance" here:

Once turned on, you will see a green check box on each message. That means it's been verified.

Enjoy!

hzrd149 1y ago

The current version of noStrudel does not verify any event signatures. the option "Show signature verification" only verifies the signatures after the fact and shows a the result on the post.

This is something that was left over from about 6 months ago when I was building noStrudel to be my personal nostr reading client and I've honestly forgotten about it until recently.

The reason I initially didn't have it verifying signatures was I wanted to see everything returned from a relay and see if I could find relays that where returning invalid events. unfortunately I didn't find any bad actors and so I forgot about signature verification being off

The next.nostrudel.ninja version of the app does verify signatures but its also got some timeline loading bugs I'm working out. also as you would expect its about 20% slower due to the computation needed to verify signatures.

However this gave me a few ideas to explore.

I'm planning on adding an option to use WASM to verify signatures using "nostr-wasm" and the option to option to keep signature verification off in the case where you trust the relays your connecting to

Reply to this note

Please Login to reply.

Discussion

ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

> unfortunately I didn't find any bad actors and so I forgot about signature verification being off

🤣

cloud fodder 1y ago

Thank you for the reply! I was just re-combing the code and came to this conclusion as well. Good to know I'm not crazy. I also noticed that your yarn.lock has two versions of nostr-tools, just something I noticed.

Perhaps verifying metadata (kind0s) and other select events is a good start that could go easier on perf. Followed by 10002 and 3. I know that damus still doesn't verify sigs either except for metadata.. this would be the #1 attack vector for malicious zap harvesting. And spoofing follows or relay lists could also be fairly nefarious.

Having to trust relays is a centralizing force for nostr and having major clients skip the verification, makes the outbox model un-reachable and clients wary of supporting the relay ecosystem at large.

hzrd149 1y ago

Just pushed an update to next.nostrudel.ninja to add an option to use nostr-wasm to verify events. its faster than built-in method from nostr-tools

Also thanks to nostr:npub10npj3gydmv40m70ehemmal6vsdyfl7tewgvz043g54p0x23y0s8qzztl5h for looking over the code and reminding me that noStrudel was not verifying event signatures

nostr:nevent1qvzqqqqqqypzqlxr9zsgmke2lhuln0nhhml5eq6gnluhjuscyltz3f2z7v4zglqwqqsxpszhf6r3jk7f3swjjvkykty0q9pp4zp4naymjukmv5j2c50vsdgu0md2u

nostr:nevent1qvzqqqqqqypzqfngzhsvjggdlgeycm96x4emzjlwf8dyyzdfg4hefp89zpkdgz99qqsx5cypexnczqh6hs4phmpflamtt9aulzmsclhwlegva2qa0wv7ftchh3he9

Changes are in this commit

https://github.com/hzrd149/nostrudel/commit/958a8506f465c5bc13d95a93fba006ec5fc758d5