Replying to Avatar jb55

Im guessing he’s sub-posting me because Ive said this in the past. I have to deal with hundreds of complaints about other clients nuking contact lists. So I have said “if you use another client it may corrupt your contact list”.

Once damus is better at defending against other clients breaking stuff in damus then I wouldn’t have to say this. But it would require some decent amount of code to detect large changes in followers, etc. I’ll do it eventually but it’s a lot of work.

I have already seen malicious relays (but more likely just buggy relays) that will return results that don’t match your filters. In the outbox model you’re giving control of what relays you connect to other people. Until my client is hardened I don’t feel comfortable doing that. But the local relay model I’m working on fixes a lot of these concerns, so I’ll finally be able to switch to outbox once thats done.
Avatar
Andrew 2y ago

> In the outbox model you’re giving control of what relays you connect to other people. Until my client is hardened I don’t feel comfortable doing that.

As far as i understand it, it only tells your client what relays to fetch another users posts from, you’re not adding those relays as a permanent part of your own relay list. So what would be the dangers?

Reply to this note

Please Login to reply.

Discussion

Avatar
PABLOF7z 2y ago

You need to connect to fetch the notes, so yeah, you need to not be vulnerable to a relay giving you a payload that would compromise your client.

That said, you would still need to not be vulnerable to a malicious payload even if the user manually enters the relay URL