Ideally, some nostrites with deep pockets should pay for some security audits of the protocol and client implementations
Nostr was mentioned on my favorite cryptography podcast today, Security, Cryptography, Whatever — they didn't spend a lot of time on it, but here are some highlights:
> It’s federated and it’s European. I bet it sucks.
> It’s some Ayahuasca inspired initiative from. From Messrs. Dorsey et al.
> Yeah, sure, it’s decentralized and federated, but like their proposal for encrypted end to end encrypted DMs was just bad by itself.
> When I reviewed this, my description of this was it looks almost exactly like Nebuchadnezzar [https://nebuchadnezzar-megolm.github.io/], which is like a fractal of things that could have gone wrong with like a complete ecosystem of like a secure messaging system. They found flaws in almost every component of that system and then tried to leverage them as far as they could.
You can read/listen here: https://securitycryptographywhatever.com/2025/07/29/vegas-baby/
They also mentioned a talk that's going to be delivered at blackhat on August 9th which sounds super interesting:
> In this session, we unveil the first comprehensive security study of Nostr and its popular client applications, demonstrating how subtle flaws in cryptographic design, event verification, and link previews allow an attacker to forge "encrypted" direct messages (DMs), impersonate user profiles, and even leak the confidential message from "encrypted" DMs.
Here's the link to the agenda entry for the talk: https://www.blackhat.com/us-25/briefings/schedule/#not-sealed-practical-attacks-on-nostr-a-decentralized-censorship-resistant-protocol-45726
I'm looking forward to learning how we've screwed up — there aren't a lot of cryptographers here, and I know that open protocols make security even harder to maintain. Maybe we've screwed up irretrievably, but I'd rather know now than later.
Discussion
We did one once for NIP 44. I'm curious if they're going to talk about nip 04, 17, or MLS. Auditing clients is probably pointless unfortunately, since interoperability weakens security quite a lot anyway, and the surface area for an audit is massive. This is a trade-off of an open protocol
Audits are always good, even if incomplete
Audits, especially security audits seem to be highly contested. I think that's why many actual cryptographers hide in the shadows and do their math. Many believe that audits, being centralized and opinionated provide a false sense of security. I tent to appreciated audits despite the legitimate shortcomings, it's just another tool in the belt. My efforts to acquire funding for my crypto library were partially intended for a formal verification and a security audit.
The more eyeballs the better. Even a look at and a report on a single module is helpful
I have managed a few software projects / products through audits with really smart cryptographers. It’s always a good idea.
Cold eyes review would be welcome. I look forward to the recommendations of the crypto bros.