Replying to Avatar Jameson Lopp

I mostly poke fun at Mastodon, but something interesting happened last week that got me thinking. I received several messages via the protocol that I needed to update my instance to patch a vulnerability.

How did this happen? My instance publicly lists my Mastodon handle as being the admin, so folks could scan the Fediverse of instances for unpatched versions and message their admins.

Last week I was researching Bitcoin node versions and how long it takes operators to update. I realized that the average time to update is increasing over the years. My suspicion is this is a result of more hobbyist node operators who aren't technical and are running a user friendly plug and play node. So they are less likely to be checking the node for updates.

Point being, nostr seems like a great solution for the notification problem. Imagine if you could paste your npub into node / any other server software upon installation. The server could generate its own private key and establish an encrypted DM channel with you. Then whenever an update is available, you could be notified in your nostr client.

Voila, secure and decentralized update notifications for server admins!
Avatar
Braydon Fuller 1y ago

I've noticed this also a few years ago.

There are some advantages to upgrading node software slowly; an unknown vulnerability may be introduced in new versions and not be in older versions. Thus not all nodes are vulnerable. That was the case for CVE-2018-17145. It took years for full disclosure and it eventually became necessary.

There is also ocassionally a need to have quick security updates. It shouldn't be entirely automated without several points of review. It can be tricky though, because it can be difficult to disclose details of a vulnerability that is necessary for review, while there are still many vulnerable nodes.

Encrypted DMs to operators could be a best effort before a full disclosure.

Reply to this note

Please Login to reply.

Discussion

No replies yet.