Avatar
hodlbod 5mo ago đź’¬ 39

Nostr was mentioned on my favorite cryptography podcast today, Security, Cryptography, Whatever — they didn't spend a lot of time on it, but here are some highlights:

> It’s federated and it’s European. I bet it sucks.

> It’s some Ayahuasca inspired initiative from. From Messrs. Dorsey et al.

> Yeah, sure, it’s decentralized and federated, but like their proposal for encrypted end to end encrypted DMs was just bad by itself.

> When I reviewed this, my description of this was it looks almost exactly like Nebuchadnezzar [https://nebuchadnezzar-megolm.github.io/], which is like a fractal of things that could have gone wrong with like a complete ecosystem of like a secure messaging system. They found flaws in almost every component of that system and then tried to leverage them as far as they could.

You can read/listen here: https://securitycryptographywhatever.com/2025/07/29/vegas-baby/

They also mentioned a talk that's going to be delivered at blackhat on August 9th which sounds super interesting:

> In this session, we unveil the first comprehensive security study of Nostr and its popular client applications, demonstrating how subtle flaws in cryptographic design, event verification, and link previews allow an attacker to forge "encrypted" direct messages (DMs), impersonate user profiles, and even leak the confidential message from "encrypted" DMs.

Here's the link to the agenda entry for the talk: https://www.blackhat.com/us-25/briefings/schedule/#not-sealed-practical-attacks-on-nostr-a-decentralized-censorship-resistant-protocol-45726

I'm looking forward to learning how we've screwed up — there aren't a lot of cryptographers here, and I know that open protocols make security even harder to maintain. Maybe we've screwed up irretrievably, but I'd rather know now than later.

Reply to this note

Please Login to reply.

Discussion

Avatar
NotBiebs and 69 others 5mo ago

It was fun while it lasted 🫡

Avatar
hodlbod 5mo ago

Our names will go down as history as the idiots who did nothing right

Avatar
Kajoozie Maflingo 5mo ago đź’¬ 1

We did some stuff right. Look at these fucking emojis.

Avatar
Kajoozie Maflingo 5mo ago

We have *sandwiches* ffs

ee
eee8f902... 5mo ago

Sorry I don't see them, I'm not using a compatible client

Avatar
the axiom 5mo ago

reading the talk presentation it looks like it's an attack against some implementation bug on amethyst or damus? then they blame it on the specs being readable

probably bullshit

Avatar
hodlbod 5mo ago

My odds are 80% obvious attacks and nitpicks, 20% something more fundamental. They mention CBC malleability, so maybe there's something in the cryptography, although I think we already knew that from the audit and it doesn't matter for our use case. We'll see

Avatar
hzrd149 5mo ago

Will the talk be recorded? Intrested to see what they talk about

Avatar
hodlbod 5mo ago

I sure hope so. Looking at their youtube channel I think it probably will be

Avatar
7fqx 5mo ago đź’¬ 22

Everyone pack your bags, clear off, you stop saying the price of bitcoin, primal guys put your shirts back on, you in the corner, stop taking screenshots of normie trending memes on twitter. Clear off.

Get out.

It's over.

nostr:nevent1qqstsqsf0emqkes02vxql4p9chgaxxa08te9pkm64dspqadc44ejsfcpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsygyhcu9ygdn2v56uz3dnx0uh865xmlwz675emfsccsxxguz6mx8rygpsgqqqqqqs36vpqn

Avatar
deeznuts 5mo ago

Ideally, some nostrites with deep pockets should pay for some security audits of the protocol and client implementations

Avatar
hodlbod 5mo ago

We did one once for NIP 44. I'm curious if they're going to talk about nip 04, 17, or MLS. Auditing clients is probably pointless unfortunately, since interoperability weakens security quite a lot anyway, and the surface area for an audit is massive. This is a trade-off of an open protocol

Avatar
deeznuts 5mo ago

Audits are always good, even if incomplete

Avatar
ChipTuner 5mo ago

Audits, especially security audits seem to be highly contested. I think that's why many actual cryptographers hide in the shadows and do their math. Many believe that audits, being centralized and opinionated provide a false sense of security. I tent to appreciated audits despite the legitimate shortcomings, it's just another tool in the belt. My efforts to acquire funding for my crypto library were partially intended for a formal verification and a security audit.

Avatar
deeznuts 5mo ago

The more eyeballs the better. Even a look at and a report on a single module is helpful

I have managed a few software projects / products through audits with really smart cryptographers. It’s always a good idea.

Avatar
elsat 5mo ago

Cold eyes review would be welcome. I look forward to the recommendations of the crypto bros.

Avatar
Fade 5mo ago

Appreciate the open and learning mindset

Avatar
hodlbod 5mo ago

I have no illusions as to my own competence

Avatar
SoapMiner 5mo ago

Trying to figure out how this will go in my memoir's. 🤔

Avatar
ChipTuner 5mo ago

As someone who maintains a nostr cryptographic library (C reference for nip44) I also agree we should be finding weak points earlier than later.

Avatar
Leigh 5mo ago

“Ayahuasca inspired” 🤣

Avatar
cloud fodder 5mo ago

i swear if this is about nip04... tableflip

Avatar
cloud fodder 5mo ago

guess what guys! we discovered primal and damus trick users into using insecure DMs! sweet.

well, any exposure is good exposure i guess.

Avatar
Enki 5mo ago

Oh, awesome. I will definitely listen to this.

Avatar
Brunswick 5mo ago

Maynard seems like a smart feller

Avatar
Brunswick 5mo ago

I like the "religious people are retarded" statement at 55:10

Avatar
El_monty 5mo ago

”and outline both immediate mitigation steps and best practices for cryptographically sound design. By revealing these cracks in a widely touted "censorship-resistant" system” - nice, constrictive criticism

4d
4d5bb883... 5mo ago

Looks great! Thanks

Avatar
elsat 5mo ago

Damus to almost certainly be mentioned due to nip-04 setup, and/or lack of event signature verification turned off for performance reasons.

Untrusted/bad actor relay is required for one of the identified deficiencies.

nostr:npub13v47pg9dxjq96an8jfev9znhm0k7ntwtlh9y335paj9kyjsjpznqzzl3l8 is working on pushing the Iliad nostrDB update, which should help with the above issues.

cc nostr:npub1xtscya34g58tk0z605fvr788k263gsu6cy9x0mhnm87echrgufzsevkk5s

Avatar
Constant 5mo ago

Where do these people get the idea from that Nostr is federated?

Avatar
hodlbod 5mo ago

It's just the default decentralized architecture. In a sense, relays are federated. The distinctions get lost on people not thinking deeply about it though.

Avatar
Constant 5mo ago

The wiki-page uses a rather broad and vague definition:

"A federation is a group of computing or network providers agreeing upon standards of operation in a collective fashion. "

Still, even then, i would object, the whole notion of federation is mostly Server Oriented Architecture related. Saying that because relays all share the understanding of same set of simple queries makes them federated is too much of a stretch. It might just be straight up incorrect if we start to wonder if relays are even ''a group of computing or network providers''. They don't do any compute, and they don't provide access to a network, they just provide access to data; the only logic going on in a relay is read/write access control.

It is kinda the whole point of Nostr, so I am easily agitated when i see indications of misunderstanding.

I have a similar gripe with the use of ''p2p'' in Bitcoin. People, on-chain bitcoin transactions are NOT peer to peer; miners are not your peers, they are intermediators. Now they are trust minimized and that so happens the be where the whole crux of this Bitcoin system resides; but if one says:

''Yeah well that is what i mean when i tell people Bitcoin has no intermediaries'', then i can't be sure if that is indeed what you mean, or that you missed the whole point all together and actually have all kinds of silly beliefs like that replace by fee is evil or that Nostr relies on federation.

Avatar
dantzler 4mo ago

The Black Hat slide deck is pretty interesting for nostr nerds considering potential vulnerabilities in the nostr ecosystem. This relates back to a recent note by nostr:nprofile1qy2hwumn8ghj7mn0wd68yetvd96x2uewdaexwqg4waehxw309aex2mrp0yhx6mmnw3ezuur4vgqzqcgxv5zxzlh8jwrsy8scez0m08gam0p700l3nneznr6qgehcw90f7j2y2j on the importance of building for a hostile state environment.

From Black Hat:

"Nostr is an emerging open-source, decentralized social networking protocol with over 1.1 million users—and a critical blind spot in its security design. While decentralized architectures promise resilience and user control, rigorous real-world security analyses remain uncommon in this space. In this session, we unveil the first comprehensive security study of Nostr and its popular client applications, demonstrating how subtle flaws in cryptographic design, event verification, and link previews allow an attacker to forge "encrypted" direct messages (DMs), impersonate user profiles, and even leak the confidential message from "encrypted" DMs.

We also show how a lack of signature checks in many clients—whether due to outright skipped verification or a TOCTOU caching flaw—enables effortless data tampering. Even a single oversight can escalate from simple forgery to full-blown confidentiality breaches.

Far from theoretical, our proof-of-concept attacks target widely used clients—one with over 100,000 downloads—and systematically bypass the platform's intended privacy and authentication controls. We'll share how you can replicate these exploits with minimal setup, explain how loosely defined specifications in a decentralized protocol can introduce critical weaknesses, and outline both immediate mitigation steps and best practices for cryptographically sound design. By revealing these cracks in a widely touted "censorship-resistant" system, we aim to jumpstart a more rigorous approach to securing decentralized social platforms—before attackers go mainstream with the vulnerabilities we've uncovered.

"

nostr:nevent1qvzqqqqqqypzp978pfzrv6n9xhq5tvenl9e74pklmskh4xw6vxxyp3j8qkke3cezqqstsqsf0emqkes02vxql4p9chgaxxa08te9pkm64dspqadc44ejsfcqg0lu2