Nostr Web Client

So digging into the double ratchet protocol, I think the device has to have both medium-term and long-term keys available to decrypt everything in the past, and an attacker would likely steal both of those and decrypt everything in the past. The protocol then would generate future keys that the attacker wouldn't have unless they continued to control the user's device. I think it does the best thing possible, but it is still quite possible to steal all the past messages even under Signal's double ratchet protocol. It makes no sense to me that an attacker would only get one key or the other -- maybe they are presuming a cryptanalysis only attack.

Santos 1y ago 💬 2

I guess to get all past keys you need full device access where leaking an nsec can be done "easily" by putting it into a malicious website or app.

Reply to this note

Please Login to reply.

Discussion

The Fishcake (nostr.build) 1y ago 💬 2

That’s what I proposed, a separate pair of keys for DMs that user does not have direct access to. Rotate them every period and keep old keys on the device. Publish public part as part of your profile and we are good. All the gift wrapping and extra steps in the new encryption are not making anything safer, just making the implementation more convoluted and opening clients to potential bugs that would make security worse and not better. People always forget to include human factor into the design of security products, it is the weakest link. The easier it is to implement (e.g., NIP-04) the safer it is from sloppy bug or a missed step during implementation 🐶🐾🫡

My 2 sats worth of opinion

Mike Dilger ☑️ 1y ago

That makes sense.