The dms should be encrypted anyone can login with anyone’s npub. They just can’t post or read dms

No idea, but DMs on NOSTR or basically any social media client should be treated as public notes, Public tweets/sheets (or whatever they are called, and public FB posts.

When you “sign in” with a pubkey, you don’t actually see the DM messages. You can see who someone DM’d but not the messages. You’re just able to see nostr from their viewpoint/relays, but the nsec secures the actual messages themselves.

Is that what your friend meant?

Nope, nostr DM privacy is really this bad.

Mentioned above several time but:

-Anyone logging with any npub can see the DM history of that npub.

-DM content is encrypted, but you can see when and how many messages were exchanged.

-Don’t use nostr for DMs, use SimpleX.

Do they mean see *the content* of the DMs, or just *who* they were DM’ing?

Former should be impossible afaik

Latter is a yes, you can see who has been DM’d

Without a lot of critical thought, the fact that fiatjaf is using telegram (or signal?) for direct messaging, would be a pretty good indicator that nostr is not private. But sure, onboard more twitter users, let's see what they say when they think nobody can see it, should be informative.

Can they definitely see the actual messages? Not just the leaky metadata?

nostr:note138dvj5rfymyzqtwyucmt4mfv43hf5qjlq3cl0mhuxumymcd85fmsktfc8e 0xchat has implemented a secure DMs to prevent metadata leaks

https://github.com/0xchat-app/0xchat-core/blob/main/doc/friends.md

iOS & Android Download link: www.0xchat.com

This is by design and now it just works. All sats is public, but the DM message content is encrypted.

Definitely user issue. He didn’t mention who was able to do that and how does he know about it. My guess is it’s a relative/friend device.

Ah yes... I discovered it as well a while back. It's just the from/to that is public. The message content is encrypted with your nsec.