Nostr Web Client

Nostr clients are using your IP geolocation and/or checking your browser language – to automaticly show notes from other users who also share the same country as you.

This leaks information about the user location/country, and is major concern for privacy reasons.

Not sure if every client is doing this, #Snort #Iris are clearly doing it, especially noticeable when not logged in. When logged in there is no option to disable this behavoiour and seems to be enabled by default.

nostr:npub1r0rs5q2gk0e3dk3nlc7gnu378ec6cnlenqp8a3cjhyzu6f8k5sgs4sq9ac nostr:npub1v0lxxxxutpvrelsksy8cdhgfux9l6a42hsj2qzquu2zk7vc9qnkszrqj49 nostr:npub1g53mukxnjkcmr94fhryzkqutdz2ukq4ks0gvy5af25rgmwsl4ngq43drvk can any of you explain what's going on?

#nostr #privacy #opsec

Reply to this note

Please Login to reply.

Discussion

HoloKat 1y ago

Not really sure how it works, I think it's based on browser language? Devs would know better.

But where is it leaking this to? What's the "major" concern?

Skipper 1y ago

For example, if I'm in France or have my browser set to French, when I post something, even if it's in english, it'll show up on the main feeds of French users, even if they don't follow me directly.

Users might not know my exact IP address, but based on this "feature" they can know my location/language because the client it self is leaked it.

HoloKat 1y ago

I think it would only post to french timeline if your browser is set to french. I'm in Japan and my browser is all English and I don't show up in Japanese timelines (I don't think) - unless people are following me from japan which some are.

Kieran 1y ago

When you open any website this information is sent to the server by default, we're not doing anything special.

If you're concerned for your privacy in general you should use a vpn or just don't use a browser at all

Skipper 1y ago

Thanks for replying. The server having this information isn't the problem. VPN might not do the trick, I did some tests and think it depends only on the language set in the browser.

I guess users who care about this particular issue should just avoid having the browser language set to anything else besides the default English.

Late Night Blog 1y ago

I'm with Kieran and Karnage. Honestly I wish Amethyst could do this too, favor the languages I set it to. As much as the data hungy companies abuse metadata like this, any website theoretically has my languages(s) in order to serve me content I can comprehend. If I semi trust the provider it might be a very useful tool.

Skipper 1y ago

You didn't quite get what I was trying to say or I explained it poorly. It's probably the latter.

The problem isn't about the client knowing your location or language. Instead, it's about the other users knowing that information about you.

If you have your browser set to French and the #nostr client uses that information to automatically share your notes with other French users, this reveals your language and country to those users, even if your notes are in English.

It's a #privacy hole that could be exploited by an attacker to help deanonymize the country/language a specific user if they have this knowledge and are willing to put in the effort.

Kieran 1y ago

That's not how it works, if you're talking about which relays you're posting to, then that's in your own control.

Late Night Blog 1y ago

Ah sorry misunderstood. I assumed it was the website filtering it for you (people who have clients/browsers set to English are shown posts that contain English words).

If the web clients are in some way sharing that with others directly/indirectly then that's more data that could be exploited and I see where you were coming from

Sirius 1y ago

Trending notes from nostr.band API are localized, but that only reveals your locale to nostr.band.

The bigger privacy issue is that Nostr clients send your IP in every direction in nip05 lookups and relay connections, especially with the outbox model which connects to other users' relays when you visit their profiles.

If you don't want to reveal your IP address, VPN or Tor is the best solution.