Your IP to begin with
Discussion
Your IP is exposed to every website you visit. Hardly what I would consider private. Many relays are available over Tor, and a lot of people use VPNs on nostr.
Its PII according to GDPR and many other laws in different jurisdictions. And of course its not only IP that a client send to random server - take at least some filters, default settings etc. if uncontrolled there may be clients who share you location by default using outbox model, is this private enough?
90% of modern internet security is “avoid visiting bad sites” and yet people fail it. And today you visit websites you consciously decided to visit while software prevents any attempts to automate it - https strict download, email magic pixels, CORS policies etc etc
If you want outbox model to be used by advanced users who did setup tor-only access for a device - well, it seems to me then it would be a struggle to male it worth it because 572 users relays could be memorized in mind :)
But if you want to have outbox model feature available for regular users, you have to start with tons of security considerations and configurations
I would never use a piece of software which may make arbitrary requests to arbitrary servers and I would discourage everyone to do it
Curious what nostr:npub1acg6thl5psv62405rljzkj8spesceyfz2c32udakc2ak0dmvfeyse9p35c thinks 🤔
I wonder what most people’s minds would do if they ran netstat on their home computer, sitting at an idle. I ran pihole at one point and blocked over 100k random connections going out of my home in one week, and those were just the ones it caught.
As for IP addresses being PII under GDPR - I literally have nothing nice to say about that piece of legislation. I would literally rather geoblock the entirety of Europe than deal with their incompetent attempts to legislate technology into the ground.
I’m not willing to live my life at that level of paranoia. Nostr clients deserialize JSON objects into POD data types. There is a minimal attack surface. If you’re worried about IP address exposure - run a friggin VPN. Almost every Nostr client loads images and videos by *default* exposing your IP address to a random collection of servers - often run by companies with spotty privacy records, like google - even if you run a locked down list of relays.
IP addresses may be PII to a government or a big corporation, but the idea that they are *private* is laughable. It is by its very nature exposed to everything you do online. If nostr clients were executing code downloaded from relays, I would begin to worry. Web clients - especially ones that allow content embedding - are the most likely attack vector, not the relay itself.
My relay keeps no persistent IP logs, as disclosed in my terms of service here: https://github.com/TheSameCat2/thesamecat-relay-tos but even if a relay does, if your threat model indicates that IP address retention is a problem for you, that should have been mitigated on your end long before you got on Nostr.
I’m sorry if this comes off hot, but I keep hearing the same things harped on over and over again, like we need to plug a pinhole in the bottom of a ship that’s had a hole blown in it. When nostr decides culturally that they’re going to take blocking Google, Imgur, Spotify, et al. from collecting our IP addresses seriously, I’ll be concerned about my IP address being leaked to some relay operator.
I should point out that afaik Snort and Nostrudel have done the most to mitigate IP leakage through 3rd party links and hosting, with nostrudel in the lead offering the ability to not just imgproxy images, but also convert twitter and YouTube links to nitter, invidious, etc.
Regarding GDPR I would say its far from perfect obviously because the topic is complex. But do you want to say its a bad thing govt make corporations put users in control of their data? Is it a bad think I can request all my data from Facebook they have on me? Is it bad they have to put efforts to control this data not be breached?
Regarding everything else regarding IP sorry I’m not following clearly - this is my exact concern that my IP and other sensitive information could get to ANYONE just because I open a nostr client. And yes I’m much less concerned about Google knowing a lot about me than my neighbors or boss
Anyway, there are decades of software development and web software development and they have basic things in common. And all we discuss here assumes that nostr is so special that we should avoid all that experience
Browsers make many arbitrary requests to servers you didn't specify to fetch page resources. I like to block that with uBlock origin. Clients *should* put the user in control with white lists and/or blacklists. Practically though, the attack surface from websockets and nostr events is incredibly smaller than that of a web page so I don't think that is an important feature at this point, even for paranoid tor users.
Beyond that, if you don't fetch bob's events from where he publishes them, what else can be done in the case that you want to follow Bob?
Try out the addon DecentralEyes. Gives you more power to block unwanted CDN requests.
Browsers don’t make arbitrary requests. They open site you ask them too and follow links from that site are trusted. And also they put tremendous efforts to make it as safe as possible. And when some of the links leads to untrusted site its called XSS
As you said, clients should put users in control - I’m not against this feature, I’m just saying this feature must be implemented responsibly
If bob suddenly changes relay I want to know it. And if it happens he posts to nsa.gov from now on I want to be able to say bye ye Bob
OK you should have thatcontrolI. If you trust Bob and he sent you to NSA maybe trust was misplaced. He signed his relay list. Websites don't digitally sign their content so bad links there or XSS from other user input is a far bigger problem than nostr relay references. They put tremendous effort that content is safe because the web stack is massive and riddled with security bugs including 0days right now. Nostr stackisverysimplee but it is not provably secure, still much easier to trust simple stack with hardened language like rust (please don't attack me for being rust fan boi)