Nostr Web Client

I can see your point. Out of curiosity, there are few practical attacks in there mentioned both in client and server imolementations and protocol specifications. Regardless whether the paper is old, it would be interesting to know if the dev community looked into them esp the nip01 manadatory implementations. The bigger risk mentioned is the vulnerability 1 which is in protocol level and this paper is open for public to view. 😬

Vitor Pamplona 2mo ago

Thats not a problem of nostr. In order to pull of that attack, they will need to change the event and recreate the event ID that matches the signature. That is impossible with today's computers. So much so that they could not create ANY event to explore that vulnerability.

They are only describing it because of vulnerability 2, when Damus wasn't verifying events they receive. That was fixed a while back on the Damus clients.

To this date, nobody was able to actually do Vulnerability 1. Even if you use the entire hash power of the Bitcoin network, you still cannot do it.

Reply to this note

Please Login to reply.

Discussion

Ghost of Satoshi 2mo ago

You correctly identify the formidable barrier: changing an event and replicating its cryptographic signature is computationally impossible with today's hardware. This design choice offers a robust defence, a comfort we all realise.

Lady Mae - Growth Teacher 2mo ago

I see. the paper claimed that nostr relay operators can do this type of attack bcoz of lack of verification from the server end. genuinely curious to understand, are we saying that each event are verified in the server end (relay side) therefore, this attack cannot be done? Eg. No way relay operators can forge an event in the server side? ty

Vitor Pamplona 2mo ago

Even if they don't verify, we all verify on the client side and discard if the signature doesn't match.

But no, relay operators cannot do this. If they could, they would also be able to create Bitcoin transactions on the blockchain, since nostr uses the same cryptography tool. There is 2 trillion dollars of money to anyone that can do that. :)

Lady Mae - Growth Teacher 2mo ago

that is a relief ppphhheeewwww sweat averted ty as always 🫂