Replying to Avatar Alex Gleason

Nsecs are generated by combining the ActivityPub ID with a secret key and then hashing it. It's technically custodial keys I guess, but they're not stored in a database, just computed at runtime and cached for the duration of the session.
Avatar
Disturbia 2y ago

interesting. theorically can anyone hack this keys and start messing around on nostr (for mastodon users)

Reply to this note

Please Login to reply.

Discussion

Avatar
Disturbia 2y ago

?*

Avatar
Alex Gleason 2y ago

They would need the secret key that only the bridge has, but yes. If someone broke into the server they could impersonate ActivityPub users. That's no different from any site though. Except that Nostr would make it hard or impossible to recover from a breach like that since compromising a key is permanent.

Avatar
Disturbia 2y ago

🤔

Avatar
Disturbia 2y ago

ok in reverse. if i have a my nsec on nostr and the bridge emulates an account on mastodon, my nsec on nostr side is always secure right?

Avatar
Disturbia 2y ago

technically the likelihood of a mastodon person to talk / interact / get data from a nostr person is lesser than than the other way round so as long as my nsec is secure i am fine. i practice safe nsec. hehe

Avatar
The Daniel ⚡️ 2y ago

Your nsec wouldn’t be compromised. The only risk is to the corresponding ActivityPub ID on the other end.

Avatar
Disturbia 2y ago

i wonder if we could run a personalized version of mostr bridge? but then i guess, that is what ditto is all about anyway

Avatar
The Daniel ⚡️ 2y ago

What attack vectors are there where this could happen and how secure is the mostr.pub server? The fact that it’s centralized like this is fairly concerning, ngl.

Avatar
Disturbia 2y ago

i think all of this concern are probably the reason why alex comes out with ditto, right?

Avatar
Nice and Kind Vic 2y ago

yes, if you guess the secret, which may be a different salt for each user for more fun