What security risk though? If your using a specific feature thats already enough info to let a would be attacker know what client your using
Discussion
this is the same idiot security by obscurity nonsense that unfortunately prevails among nostr devs
you can fingerprint events to a client codebase, EASILY
just like you can easily analyse a series of REQ filters from one IP address to establish the npub of the user, and, to add to this, now we point out also thet client can also be fairly confidently determined
this is why auth should not be considered a privacy vulnerability, and why client fingerprinting should not be considered a privacy vulnerability
bullshit on both counts, and i just had to point that out because this thing about auth and privacy has stopped clients from building adequate CHANNEL CONSTRAINED privacy protections for DMs and thus have made DMS virtually fucking useless
also talk to the admin of nostr.wine about the problem of how irritating it is to not have working DMs because they are a very nice CLI route for paid relays (which also need to have auth, really, to work)
It's not security by obscurity. It's basic privacy. There is no point in providing additional information to attackers when you can avoid it.
it obstructs usability if my client can't find my sent messages
it obstructs the marketplace in services that funnel consumer choices towards nostr that help fund development if you DON'T PRIORITIZE WHAT PEOPLE NEED ie DMs
it is an illusion of privacy when you "hide" information that obstructs developers work when the most elementary of heuristics can establish the same facts as a client tag provides, that actually helps the developers of the clients
anyway, carry on, just know that if you are so sure about being right about this with teh influence you have maybe you should consider that the negative consequences may be partially attributable to your idiot attitude
> It's not security by obscurity. It's basic privacy.
Two things can be true at the same time.
I don't think anyone should be sending client tags. My signer is configured to strips tags including the Client tag for this reason. Just privacy, no one needs to know the client I'm using. That said, it's also by definition security by obscurity if you think hiding the client someone's using with the intent to "protect" the user
If I know you use Amethyst with an nsec in it, I can browse Amethyst's code to find security vulnerabilities or social ways to attack you. I can mimic Amethyst's UI in a website and fool you into giving me your key.
The smaller the client, the worse it gets. And since NIP-17 requires so many decryptions, it is likely that chat clients will almost always have an option to use nsecs directly inside of them.