Avatar
Lady Mae - Growth Teacher 2mo ago

⚠️Nostr practical security — attack vulnerabilities ⚠️

Researchers’ quote:

" Our results on Nostr show that their use of cryptographic technologies is simple and immature, showing a sharp difference from the modern messaging applications that the research community has scrutinised.

We think there is a significant lack of understanding on the secure design and analysis of distributed SNSs: what security property should be set, and what about the security of popular growing services other than Nostr, such as Mastodon and BlueSky? "

A new research paper (Aug 2025) analysed Nostr and found basic cryptographic and design weaknesses that allow attackers to abuse the protocol in ways that real users and services should be concerned about.

👉In plain terms:

attackers can trick clients and servers, steal funds or impersonate users in practical scenarios unless fixes are applied.

👉Key impacts everyone must know

1) Financial risk — attackers can hijack or manipulate keys or requests, causing loss of funds (wallet integrations, invoice relays, LN payflows).

2) Account and reputation risk — impersonation and message forgery can damage user identity, enable scams, or undermine trust models.

3) Ecosystem availability and privacy risk — attacks can de-anonymise users or flood/poison relays, degrading service and exposing metadata.

👉Call to action for developers and users

- Developers: audit signing and verification flows, wallet integrations, relay filtering and threat models; prioritise fixes for key handling and message-authentication weaknesses.

- Users: assume higher risk for money-related actions; avoid new integrations until maintainers publish mitigations; verify payments and identity out-of-band.

Looping in relevant parties below. Regardless of whether the source is trustworthy, the attacks described are worth investigating.

nostr:npub180cvv07tjdrrgpa0j7j7tmnyl2yr6yr7l8j4s3evf6u64th6gkwsyjh6w6 nostr:npub1gcxzte5zlkncx26j68ez60fzkvtkm9e0vrwdcvsjakxf9mu9qewqlfnj5z nostr:npub18m76awca3y37hkvuneavuw6pjj4525fw90necxmadrvjg0sdy6qsngq955 nostr:npub16vjln603hfsfhremp627jle4ycm6p23grjjqrm04rrdwupldyfnsjx88a2

Link to the research listing (paper referenced): 👉 https://eprint.iacr.org/2025/1459.pdf

#asknostr #plebchain #plebs #nostr nostr:note1s2tnt9zenqegldv6uvyc5pmf5hdrzhx9faatqmyhlpu7lnredy8q2lmu76

Reply to this note

Please Login to reply.

Discussion

Avatar
ཀռօֆ🝤ʀǟɖǟʍɨᶻ 𝗓 𐰁 2mo ago

A times I have a feeling its per design.

Avatar
Lady Mae - Growth Teacher 2mo ago

let's hope it's not. hence, copying those people. ☺️

Avatar
ابو مريم 2mo ago

CC: nostr:npub1h0uj825jgcr9lzxyp37ehasuenq070707pj63je07n8mkcsg3u0qnsrwx8 nostr:npub175nul9cvufswwsnpy99lvyhg7ad9nkccxhkhusznxfkr7e0zxthql9g6w0

Avatar
alp 2mo ago

Thanks! That’s really valuable. I’ll go ahead and implement the checks and steps mentioned in it right away.

Avatar
Lady Mae - Growth Teacher 2mo ago

ty and would love to hear your thoughts on the vulnerabilities/fixes for the wider audience too. 🫂 as this is publicly available, we are not sure how many people did the testing and the feasibility of it. we appreciate your help and hard work. ☺️

Avatar
ابو مريم 2mo ago

I think it is mostly older. Some of this stuff with nip4 and Damus patches is known. Figured it would be good to review though as you build

Avatar
Lady Mae - Growth Teacher 2mo ago

indeed. there is no harm checking and be vigilant than sorry. esp if given enough time and resource, it will only take 1 malicious act to screw things up for the network 😬

Avatar
Vitor Pamplona 2mo ago

Old paper, but this is why we don't use NIP04 DMs anymore. Also, I don't understand why would anyone say that Nostr has an issue if they only test a couple clients, mostly Damus. Clients might have a lot of problems. But those are not Nostr problems. They are that specific clients issue. They should have said that. They seen to think the way Damus does things is Nostr itself, which is dumb. Either they don't know how the Nostr ecosystem works or they are intentionally misleading people.

Avatar
Lady Mae - Growth Teacher 2mo ago

I can see your point. Out of curiosity, there are few practical attacks in there mentioned both in client and server imolementations and protocol specifications. Regardless whether the paper is old, it would be interesting to know if the dev community looked into them esp the nip01 manadatory implementations. The bigger risk mentioned is the vulnerability 1 which is in protocol level and this paper is open for public to view. 😬

Avatar
Vitor Pamplona 2mo ago

Thats not a problem of nostr. In order to pull of that attack, they will need to change the event and recreate the event ID that matches the signature. That is impossible with today's computers. So much so that they could not create ANY event to explore that vulnerability.

They are only describing it because of vulnerability 2, when Damus wasn't verifying events they receive. That was fixed a while back on the Damus clients.

To this date, nobody was able to actually do Vulnerability 1. Even if you use the entire hash power of the Bitcoin network, you still cannot do it.

Avatar
Lady Mae - Growth Teacher 2mo ago

I see. the paper claimed that nostr relay operators can do this type of attack bcoz of lack of verification from the server end. genuinely curious to understand, are we saying that each event are verified in the server end (relay side) therefore, this attack cannot be done? Eg. No way relay operators can forge an event in the server side? ty

Avatar
Vitor Pamplona 2mo ago

Even if they don't verify, we all verify on the client side and discard if the signature doesn't match.

But no, relay operators cannot do this. If they could, they would also be able to create Bitcoin transactions on the blockchain, since nostr uses the same cryptography tool. There is 2 trillion dollars of money to anyone that can do that. :)

Avatar
Lady Mae - Growth Teacher 2mo ago

that is a relief ppphhheeewwww sweat averted ty as always 🫂

Avatar
Garbage nsec 2mo ago

An example of a protocol (and not client) concern is that if someone has your nsec you generally have no way of knowing. I could have your nsec right now, I could be reading your DMs (unless MLS), and I could continue to do for the next months or years, you'd have no real way of knowing I'm doing this unless I slip up and publish something with your nsec and you see that (which, if I was using a special client, would be unlikely) or some elaborate relay sting.

This sucks because the moment you suspect your nsec mave have been exposed, even if just a small chance, you then have to assume it has been and start on a new one, since there's no way to check the history as you can do with other platforms.

The more Nostr moves to Web of Trust the more it benefits the attacker (the knower of the exposed nsec) to just wait and let you build trust on your compromised account, over months or years, because that trust will be useful to cash out as some point in future.

Avatar
fiatjaf 2mo ago

You do have a way of knowing: if your DMs are going to a semi-trusted relay and you have to AUTH to it in order to read them (as you should under NIP-17) that relay may inform you about who has read them, when and from what IP address.

If we implement https://github.com/nostr-protocol/nips/pull/1647 that will also kill the attacker ability's to read anything in the first place unless he wants to reveal himself by registering his bogus device or publishing new encryption keys.

Avatar
Garbage nsec 2mo ago

Agree those are potential fixes for NIP17 DMs, albeit they rely on all the things you mentioned. How many people are going to exclusively use auth-enabled relays with IP access alerts? And those alerts could also work backwards and inform the attacker of the true holder's IP, which needs to be accounted for. I mean it's all doable but these dumb relays sure are getting pretty smart.

Avatar
fiatjaf 2mo ago

Clients should nudge users towards using such relays for DMs, and that is happening right now in every client.

Relays were never meant to be dumb in the sense that they wouldn't have any internal logic, that was an unfortunate choice of words and a huge misunderstanding that damaged Nostr a lot, it's a surprise to me that people could have thought a relay would be really that dumb, do no filtering, no access control etc and Nostr would still work? Nostr would never work if it was like that.

Avatar
Garbage nsec 2mo ago

That's fair.

Avatar
semisol 2mo ago

NIP-04 by itself is not vulnerable and is secure against these “attacks” as signatures exist

Avatar
Vitor Pamplona 2mo ago

AES-CBC (the core of nip04) has been removed from many crypto suites, including TLS 1.3, due the many security issues in poor implementations, mostly related to oracle padding attacks, which are also possible in nip04.

Avatar
semisol 2mo ago

Said attack is not possible in NIP04 due to signatures.

Talking about attacks without knowledge is easy.

Is it a bad spec? Mostly. Is it so bad that we have to rip out every use case? Probably not.

Things like padding can be retrofitted into existing NIP-04 use cases. For example JSON lists can use space padding.

Avatar
Vitor Pamplona 2mo ago

"Probably" is not a word you want to use in security systems.

Avatar
semisol 2mo ago

Again, is there an *applicable* attack on NIP-04? There are good reasons to remove it (unifying encryption standards) but it is not the boogeyman you present it as.

Avatar
Vitor Pamplona 2mo ago

I am not presenting anything. Several cryptographers did in multiple discussions. Fiatjaf built nip04 without any deeper knowledge in encryption. That alone should be a massive red flag. I don't understand this need you have to keep defending a lausy spec. Especially when others specs are readily available and have been fully vetted.

Avatar
semisol 2mo ago

To be fair, the same cryptographers that pushed for NIP-44, also lied about NIP-04 leaking private keys.

The "attack" they presented would require:

- A way to extract an AES key from a pair of chosen ciphertexts + their plaintext (or the other way around)

- At least millions of rounds of user interaction in an unusual way

- A way to forge signatures that uses keys derived from the user's private key

Avatar
Vitor Pamplona 2mo ago

No need to forge signatures if you only want to decrypt it. You can just build an app that uses Amber to sign locally. Doing millions locally is quite easy. Is fact, billions is quite easy.

Again, I don't understand the need to give people the risk of somebody putting that together.

Avatar
semisol 2mo ago

> - A way to extract an AES key from a pair of chosen ciphertexts + their plaintext (or the other way around)

Also fulfill this. The answer is that you can't.

Avatar
semisol 2mo ago

The problem here is that the risks of NIP-04 have been extremely exaggerated. It is not an ideal spec and it should be moved off of, but the idea that it presents *any risk* is absurd.

Avatar
Vitor Pamplona 2mo ago

No, the problem is that the risks to nip04 are unknown because it depends so much on how signers and clients implement NIP-04. It SHOULD be exaggerated exactly because devs can and will fuck it up. Its virtually impossible to fuck an implementation of nip44 up.

Avatar
semisol 2mo ago

The risks of NIP04 are very known.

The people that were fearmongering about NIP04 being the end of the world were the same that were getting paid to create a replacement which needed to be fancy and critical, to earn them a large grant.

Unless your client has gone rogue, and there is a critical flaw in AES (both!), it is impossible to realistically break NIP04.

Avatar
Vitor Pamplona 2mo ago

Lol, what is this? Grudge? Are you jealous Paul did the work and got a tiny grant for the huge amount of hours the put into? You know he didn't receive the grant right? He donated back to open sats to pay for the audit on his own code. Something no one ever did in NIP04.

No one should ever even consider using nip04 for anything.

Avatar
semisol 2mo ago

There is no grudge, only the fact that they pushed the narrative that NIP-04 will leak private keys to unknowing devs and users by abusing their position, for personal gain.

If anything, NIP-44 did not resolve significantly more critical problems like the fact that approving [en/de]cryption is still a blind operation.

Avatar
semisol 2mo ago

Not that an encryption scheme requires an immense amount of hours. The horse of two-party asymmetric encryption has been beaten to death and you can find countless spins on the same goal.

Avatar
Garbage nsec 2mo ago

The design of anything on nostr should allow for a high percentage of normies losing or exposing their nsecs, and this makes all this Encryption A vs Encryption B stuff moot.

Avatar
Vitor Pamplona 2mo ago

Shared keys, not private keys.

What the fuck are you talking about that NIP44 didn't resolve any significant problems? Now you are just being malicious. It's clearly better spec, better secured, easier to implement to avoid issues, and audited. Why are you dismissing these improvements?

The blind operation will always be there for very generic encryption schemes like the one we need in nostr. You can add anything else you need outside the ciphertext on nostr.

Avatar
semisol 2mo ago

It is clearly said to be private keys and was pushed as such.

I did not say NIP-44 did not resolve ANY significant problems, but it glossed over much more critical ones. All of the attacks that are possible on NIP-04 are unrealistic in reality, but the attack that an application can ask to decrypt lists and then siphon off all your DMs is very real.

NIP-04 was poorly designed, but saying that I am acting malicious for showing you that:

- part of the push for it was based on lies

- that the risks were falsely marketed

- that the paper's attacks on NIP-04 assume major flaws in implementation (no signature checking)

is bullshit.

Avatar
Vitor Pamplona 2mo ago

So, what you are saying is that we should dismiss the work and give credit to lousy, outdated schemes that we know are a risk just because nip44 didn't solve a problem that is not even theirs to solve?

I think you are being malicious. You are clearly mixing responsibilities between distinct security layers to muddle the waters, confuse everyone and make a point based on a grudge you had with the developer. It's just sad.

Avatar
semisol 2mo ago

Can you please show me which sentence is saying that we should dismiss NIP-44 and stick with NIP-04? Or that I have any reason to have something against Paul?

NIP-44 was pushed on false premises.

NIP-04 is not great.

But the risks of it are not as much as an immediate threat as there being no way to control encryption access, and intent confusion where the same encrypted blobs could be reused in different places with different meanings.

This could have been addressed by the spec via inclusion of AD.

Avatar
Vitor Pamplona 2mo ago

Just read this entire conversation. You keep suggesting that nip44 did nip04 dirty even though it is clearly better. I have never seen you advocating *cleanly* for NIP-44. You always write as if you wanted NIP-04 back, which will never happen. I don't know why you do this, but you do. It's very clear. I think you like to have grudges and those trump any rational analysis on the debate.

Avatar
semisol 2mo ago

So your assumptions are automatically fact? Interesting.

I do not want NIP-04 back and I have never stated that.

But NIP-44 was rushed through based on false information, out of thin air, while important concerns that have existed for a long while (such as encryption intent) not being considered.

That is what I have stated and what you keep trying to intentionally misinterpret as “wanting NIP-04 back”.

Avatar
Vitor Pamplona 2mo ago

Nip44 wasn't rushed. I don't know why you would say that. Again.. your grudge shows..

Avatar
semisol 2mo ago

Everything points back to you selectively misinterpreting what I am saying to prove a nonexistent point, and making up me having a grudge.

It was rushed. The sentiment that NIP-04 will cause a catastrophe and nsecs will be leaked was pushed strongly during its proposal to ordinary users that did not know any better. And all while major gaps still exist.

Avatar
Vitor Pamplona 2mo ago

It took us 2 years to develop, test, audit and verify nip44. How long did you want it to take to not be rushed? We needed to get out of nip04 fast. Everybody was complaining about how terrible it was and it was affecting Nostr's image everywhere, but especially in the cryptography community, which knew very well how idiotic the scheme was.

Since nip44, no one has dared to say Nostr devs have no idea what they are doing in encryption.

Avatar
semisol 2mo ago

2 years? It only took a few months at most, and the specification was likely outlined within an hour.

The only thing that has taken 2 years is convincing devs that the absurd gift wrap standard (independent of NIP-44) is a good idea, which continues to be proof that Nostr devs truly have no idea what they are doing.

By trying to get a solution to obscure complaints fast the only thing we have done is left much more realistic problems like encryption intent unsolved.

Nostr’s image was not significantly impacted by NIP-04 except research papers that like to dunk on unrealistic scenarios, and NIP-44 *adoption* (due to it mostly being a low practical benefit change) is still nowhere near completion, partly because the only scheme using it also happens to be shit.

Avatar
Vitor Pamplona 2mo ago

I see you don't even know we changed cryptographic curves (a fundamental step) twice 7 months after the first idea and had to retest everything.

I am not even including giftwrapping and the NIP-17 scheme. 2 years was just NIP44.

Avatar
semisol 2mo ago

do you know the difference between an elliptic curve and a symmetric cipher

Avatar
Vitor Pamplona 2mo ago

Lol

Avatar
semisol 2mo ago

I am pretty sure you either mixed that up or the MLS NIP.

Avatar
Vitor Pamplona 2mo ago

I am going to stop this discussion because you clearly have a grudge and your ego is overwritting any rational discussion on this. There is no point. You just want to create a fuzz about it even though you agree NIP44 is significantly better than nip04.

Avatar
semisol 2mo ago

Or you are not getting it, considering that you said it took 2 years to do NIP-44 when it did not, and that changes to the core public key scheme of Nostr was required twice

Avatar
Vitor Pamplona 2mo ago

How can you claim to know how long things too if you werent even there? I was. Why would you even make such claims? I don't get it. Your ego must really be hurt by something. This is not normal.

Avatar
semisol 2mo ago

You know, the development process is open for everyone to seed there is no closed committee for this. Even including “empty” time spent on waiting for merges, and a very liberal definition of the start and end time, 2 years is nowhere close.

Avatar
semisol 2mo ago

All you are doing is attacks on me and absolutely nothing of substance about reality, which is pretty disappointing to see.

Not the 1st time your personal views have prevented you from seeing the reality 🤷

Avatar
semisol 2mo ago

most of it is bullshit

Avatar
node 2mo ago

😂

Avatar
Lady Mae - Growth Teacher 2mo ago

oh? which part and curious to hear your thoughts?

Avatar
fiatjaf 2mo ago

There are a dozen of issues with this scammy paper.

The most important is that it only worked on a couple of clients that didn't check signatures. These clients only connected to a static set of semi-trusted relays and changing the relays they connected to would require a manual typing operation from the user.

For the attack to work it required victims to manually type the URL of the attacker relay, which makes it completely absurd.

It's like telling someone to visit "verysecretnotscammywebsite.com" and type all their secrets there, then read their secrets because the website leaked them and write a paper claiming that the web is broken.

Avatar
Luxas 2mo ago

How old is the paper? They mention Plebstr client, which hasn't been around for a very long time lol

Avatar
Lady Mae - Growth Teacher 2mo ago

according to the papers the poc was done last 2023 but their metadata says they updated it this Aug 2025

Avatar
Lady Mae - Growth Teacher 2mo ago

pssstt... nostr:nprofile1qqswswmx4rkj6d7q05dtafhpkqq2z42fc62s37jvtp642m2jkpfxc2cpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhszxrhwden5te0dehhyarfwvhxummnw3erztnrdakj7qgkwaehxw309a5xjum59ehx7um5wghxcctwvshsxpancm looping you in. would love to hear your input from the back and forth thread here in terms of the cryptography that the chaps are talking on here. ☺️

Avatar
mike 2mo ago

It’s Saturday night, I’m drunk. I’ll take a look Monday 😂

Avatar
Scott ••• 2mo ago

That’s the spirit, Mike!

^ pun

Avatar
mike 2mo ago

😆

Avatar
Lady Mae - Growth Teacher 2mo ago

probably a good idea...! enjoy and don't give away your seed phrase ok? 🤣

Avatar
mike 2mo ago

I didn't get back to you and I haven't read the post, but let's get back to basics.

NOSTR is a protocol, primarily a set of JSON definitions for loosely handling data.

Security is borrowed from Bitcoin

Media is not natively supported

Bitcoin money is bolted on via third party apps.

The one acknowledged problem right now is private key exposure. This is gradually being addressed.

There will be many clients / wallets / media servers apps that have issues, NOSTR is a melting pot of ideas as it should be right now.

Despite our ebullience, NOSTR is not ready for mainstream normie adoption.

TCP/IP is not judged by how Google use it.

Bitcoin is not judged by how poorly Mt. Gox secured client accounts.

NOSTR cannot be judged by how well any application performs.

Avatar
Lady Mae - Growth Teacher 2mo ago

thanks for this. I am on the same page as you that nostr is not yet ready for the "normies".

On a different note, f u r struggling to sleep this paper may be your sleeping pill 😂

Avatar
mike 2mo ago

I don't have trouble sleeping, I'm a Bitcoiner, it's the normies that are all doomed 😂

I'm not going to read the paper anyway, but thanks for your concern.