Nostr Web Client

The current version of noStrudel does not verify any event signatures. the option "Show signature verification" only verifies the signatures after the fact and shows a the result on the post.

This is something that was left over from about 6 months ago when I was building noStrudel to be my personal nostr reading client and I've honestly forgotten about it until recently.

The reason I initially didn't have it verifying signatures was I wanted to see everything returned from a relay and see if I could find relays that where returning invalid events. unfortunately I didn't find any bad actors and so I forgot about signature verification being off

The next.nostrudel.ninja version of the app does verify signatures but its also got some timeline loading bugs I'm working out. also as you would expect its about 20% slower due to the computation needed to verify signatures.

However this gave me a few ideas to explore.

I'm planning on adding an option to use WASM to verify signatures using "nostr-wasm" and the option to option to keep signature verification off in the case where you trust the relays your connecting to

cloud fodder 1y ago

Thank you for the reply! I was just re-combing the code and came to this conclusion as well. Good to know I'm not crazy. I also noticed that your yarn.lock has two versions of nostr-tools, just something I noticed.

Perhaps verifying metadata (kind0s) and other select events is a good start that could go easier on perf. Followed by 10002 and 3. I know that damus still doesn't verify sigs either except for metadata.. this would be the #1 attack vector for malicious zap harvesting. And spoofing follows or relay lists could also be fairly nefarious.

Having to trust relays is a centralizing force for nostr and having major clients skip the verification, makes the outbox model un-reachable and clients wary of supporting the relay ecosystem at large.

Reply to this note

Please Login to reply.

Discussion

No replies yet.