Nostr Web Client

The answer is simple.

All sorts of weird and illegal shit is operating over the internet already. Nostr will never be illegal in all countries, so who cares?

Worst case we start using Tor hidden services and I2P

Mike Dilger ☑️ 6mo ago 💬 3

IMHO the world is just barely entering a phase of much greater warfare and cyber attacks. You haven't seen nothing yet. I want several levels more security -- for my private keys, and also for the trust relationships. And I think we can do it.

I believe the NSA (or similar) can easily right now spy on anybody's SSL by just directing LetsEncrypt to print them a fraudulent certificate, directing Cloudfare to steal the traffic, and the only thing the target could potentially notice is that the bits in the certificate have changed (but it validates perfectly)... routing the traffic back to the real TLS server with only a minor performance hiccup. That is because routing is not trustable, CAs are not trustable, DNS, etc.

So yes you could solve this with Tor and I2P at great performance cost. Or you could lookup a relay's current IP address in the Mainline DHT every hour (and they can jump to a new IP network every hour) and use that to connect to that relay under a TLS connection that is secured with the relay's nostr key. You bypass CAs, DNS, and even though routing can be fucked around with you can just hop somewhere else. And you maintain full performance. And you didn't have to build a new packet switched loran network.

Anyhow, this isn't nostr really I'm talking about anymore, it's Mosaic. It already does all this. Not quite ready to debut.

Reply to this note

Please Login to reply.

Discussion

semisol 6mo ago 💬 1

“I believe the NSA (or similar) can easily right now spy on anybody's SSL by just directing LetsEncrypt to print them a fraudulent certificate”

Read up more about Certificate Transparency

Mike Dilger ☑️ 6mo ago

Yes, yes, but that doesn't prevent. In theory it can only detect, after the fact, and only if someone bothers to investigate. And even then how do I prove that this was an NSA issued certificate and not issued to the true website? Hard one. Also, CTs have been pretty leaky so far. Either they were not enforced for all certificates, or the CT logs were run by the CAs themselves (fox guarding the henhouse) who simply don't have to put the abusive certs into the log (Let's Encrypt did this, which makes me suspicious of them). Browser enforcement is the right place to do it, but researching Chrome's CT policy refers to a deeper CT Log Policy which basically opens up the logs to as many log providers as wish to exist. The NSA probably has their own log.

And in any case, it's completely the wrong solution. When mistakes are made, people shouldn't double-down and triple-down with more crap. X.500 publication of public keys turned into publishing signed documents just in case X.500 data was corrupted, signed by the X.500 administrator. That made sense. But taking X.509 certificates out of an X.500 context was a mistake, a misunderstanding. Even worse when Verisign popped up and claimed they were the authority for the entire Earth. Adding OCSP was another pile on top, because the entire point of certificates is proof WITHOUT a trusted online service. If you have a trusted online service, you don't need certificates+OSCP, you can just give the public key and be done with it. The technology stack being deeper and more complex is IMHO not an improvement, it simply makes it more difficult for normal people (and even security researchers) to comprehend all the ways it can be used against people.

We have precident for tearing down the giant stack of kludges and starting over: QUIC. QUIC dared to dispense with the core protocol of the internet, TCP.

Garbage nsec 6mo ago 💬 2

Whoa serious? Hard fork incoming?

Mike Dilger ☑️ 6mo ago 💬 1

Mosaic is an experiment not a fork. There are no clients and no users and I'm not going to advertise it. It could become a fork but I really don't want to fork nostr. Maybe down the line it will become a fork if we can't solve the problems in nostr.

What I want is to solve the hard problems. It is far easier to solve them free of the shackles of existing software (needing to be compatible, needing migration steps, etc). Just making something that solves these things is Step 1. Step 2 can be figuring out how to migrate from current nostr to the solution. Step 2 is far harder than Step 1. But trying to solve them both together in one fell swoop has not proven successful.

The current place Mosaic is at is probably unachievable for nostr. So Mosaic can work it's way back towards nostr, perhaps by first figuring out how to use secp256k1 keys in SSL. And of course nostr can simultaneously work it's way towards Mosaic, and they can meet in the middle somewhere.

hodlbod 6mo ago 💬 2

I'm reading the spec now, liking it so far. I'm glad you separated general purpose flags, application specific flags, and tags. I'm not sure about human readable payloads, it seems like they should always be structured, especially since the only other place to put data is in tags, which is indexed (I think?) Also, limiting tags to 253 bits might be a tricky limitation for referencing URLs which might be much longer.

Mike Dilger ☑️ 6mo ago

Good point on the content-segment tags, since all outer tags are indexed, and these don't seem like they need to be. Probably have to rethink this part. I haven't really gotten to the higher layer stuff like that yet, beyond the rough first draft. I was imaginging application-layer tags (longer ones) inside of the content for stuff like this, but it's not written that way.

hodlbod 6mo ago

You'll also want to find a way to avoid duplicating tags if they need to be indexed but also used in content. Which means content likely needs to be able to reference tags in either place.

semisol 6mo ago 💬 2

secp256k1 is a permitted curve for X.509 certificates

You could allow any root that has the npub’s key, so it could sign sub-CAs or temporary keys for servers.

ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 6mo ago 💬 1

it's gotta be the ecdsa public key tho, 33 bytes and all that. i didn't know that x509s can be secp256k1 tho. i thought r1 was the only one that most of the things permitted. TLS definitely. also JWT only r1.

semisol 6mo ago 💬 1

x-only pubkeys are prefixed with 02

it doesn’t matter though, you can flip it

Garbage nsec 6mo ago 💬 1

Not sure if x-only have a 02 prefix like same way compressed public keys do?

semisol 6mo ago 💬 1

No, you can prefix them with 02 to get a compressed pubkey.

Garbage nsec 6mo ago

Ah right, yup!

Mike Dilger ☑️ 6mo ago

When i tried to code it a few months back, I got stuck on some PKIX assigned number that didn't have an entry for secp256k1. But I'm recalling this from memory so I could be wrong here.

Emperor Kuzco 6mo ago 💬 1

I'm just now figuring out how to us Gossip because both Damus and Primal have failed me. I downloaded a brief tutorial from Rumble that I believe you made.

I'm trying to figure out 1/4 of the options and settings it has. Bare with me, I'm retarded.

Mike Dilger ☑️ 6mo ago 💬 1

Gossip will fail you as well I'm sure!

It works well enough for me most of the time but something about the libraries it depends on interacting badly with Debian testing Xfce sometimes freezes my desktop as I'm typing into it. And it frustrates me. I don't think it is my bad code, but somehow I'm triggering a deeper bug.

The lower left "lights" indicate if something needs to be handled.

The circle buttons on the right of a post go into that post's thread view.

Relays is it's own complex set of pages.

People Lists is where you define your feed views.

Emperor Kuzco 6mo ago 💬 1

It's more complexed than any mobile client I've used. Is there an option for spell checking? I only want to appear half retaded.

I have relays set, nPubs I follow, fonts bigger in the UI, and enough that I can function pretty well though. It took me almost a year to take the plunge into Gossip because of the complexity and not knowing all the technical lingo.

Mike Dilger ☑️ 6mo ago 💬 1

Spell checking! Brilliant idea. No.

Desktops having more screen real-estate lend themselves to having more complex UIs. A tool that you use a lot and know well should have a complex UI. A tool that you are new to should have a simple UI. The Ideal UI would get more complex as you used the tool. But I'm not a UI developer, I actually abhor UI development, so I had other people work on the UI as much as I could: nostr:npub10000003zmk89narqpczy4ff6rnuht2wu05na7kpnh3mak7z2tqzsv8vwqk and nostr:npub1hlq93jdtkfg29a8s7fqzzzh82q3pkc20rxucwt4geh6e56wk3y2qxdz5wg . Now and then I meddled and messed up their plans so I take all the blame for UI problems, and they get all the praise for UI brilliance.

Emperor Kuzco 6mo ago 💬 1

This maybe another dumb idea but I cannot highlight and select a given not text copy/paste it into a reply within the app. All in all Gossip is pretty cool and I'm glad I have another solution (probably more secure than mobile) rather than a mobile client.

Mike Dilger ☑️ 6mo ago 💬 1

You want to cut-and-paste images? I started on that but didn't complete it: https://github.com/mikedilger/gossip/issues/995

Emperor Kuzco 6mo ago 💬 1

Say I'm looking at your reply right in front of me as I am and I think you have some great information and was wondering if I could just select the specific text that I highlight and copy it. As of right now (I'm using an AppImage) I can highlight your text text but I have no option to copy or paste it. I even tried contol C/V with no wookie.

As an example: If I write a bang up post and want to save it to my offline notes I am unable to select my text and copy it. I can write something offline and control V it and it works.

As for pics, I have a totally different idea that I proposed to the code slinger of Damus and I found out that Primal was able to pull it off. If I can find my old note describing what my idea was I'll post it to you.

Mike Dilger ☑️ 6mo ago 💬 1

Are you using version 0.14? I think cut-and-paste works in 0.14. Maybe I'm wrong and it only started working later.... and if so I should release again.

Emperor Kuzco 6mo ago

Yes, currently on .14. Again it is the AppImage, not sure if that matters.