pssstt... nostr:nprofile1qqswswmx4rkj6d7q05dtafhpkqq2z42fc62s37jvtp642m2jkpfxc2cpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhszxrhwden5te0dehhyarfwvhxummnw3erztnrdakj7qgkwaehxw309a5xjum59ehx7um5wghxcctwvshsxpancm looping you in. would love to hear your input from the back and forth thread here in terms of the cryptography that the chaps are talking on here. ☺️
⚠️Nostr practical security — attack vulnerabilities ⚠️
Researchers’ quote:
" Our results on Nostr show that their use of cryptographic technologies is simple and immature, showing a sharp difference from the modern messaging applications that the research community has scrutinised.
We think there is a significant lack of understanding on the secure design and analysis of distributed SNSs: what security property should be set, and what about the security of popular growing services other than Nostr, such as Mastodon and BlueSky? "
A new research paper (Aug 2025) analysed Nostr and found basic cryptographic and design weaknesses that allow attackers to abuse the protocol in ways that real users and services should be concerned about.
👉In plain terms:
attackers can trick clients and servers, steal funds or impersonate users in practical scenarios unless fixes are applied.
👉Key impacts everyone must know
1) Financial risk — attackers can hijack or manipulate keys or requests, causing loss of funds (wallet integrations, invoice relays, LN payflows).
2) Account and reputation risk — impersonation and message forgery can damage user identity, enable scams, or undermine trust models.
3) Ecosystem availability and privacy risk — attacks can de-anonymise users or flood/poison relays, degrading service and exposing metadata.
👉Call to action for developers and users
- Developers: audit signing and verification flows, wallet integrations, relay filtering and threat models; prioritise fixes for key handling and message-authentication weaknesses.
- Users: assume higher risk for money-related actions; avoid new integrations until maintainers publish mitigations; verify payments and identity out-of-band.
Looping in relevant parties below. Regardless of whether the source is trustworthy, the attacks described are worth investigating.
nostr:npub180cvv07tjdrrgpa0j7j7tmnyl2yr6yr7l8j4s3evf6u64th6gkwsyjh6w6 nostr:npub1gcxzte5zlkncx26j68ez60fzkvtkm9e0vrwdcvsjakxf9mu9qewqlfnj5z nostr:npub18m76awca3y37hkvuneavuw6pjj4525fw90necxmadrvjg0sdy6qsngq955 nostr:npub16vjln603hfsfhremp627jle4ycm6p23grjjqrm04rrdwupldyfnsjx88a2
Link to the research listing (paper referenced): 👉 https://eprint.iacr.org/2025/1459.pdf
#asknostr #plebchain #plebs #nostr nostr:note1s2tnt9zenqegldv6uvyc5pmf5hdrzhx9faatqmyhlpu7lnredy8q2lmu76
Discussion
It’s Saturday night, I’m drunk. I’ll take a look Monday 😂
probably a good idea...! enjoy and don't give away your seed phrase ok? 🤣
I didn't get back to you and I haven't read the post, but let's get back to basics.
NOSTR is a protocol, primarily a set of JSON definitions for loosely handling data.
Security is borrowed from Bitcoin
Media is not natively supported
Bitcoin money is bolted on via third party apps.
The one acknowledged problem right now is private key exposure. This is gradually being addressed.
There will be many clients / wallets / media servers apps that have issues, NOSTR is a melting pot of ideas as it should be right now.
Despite our ebullience, NOSTR is not ready for mainstream normie adoption.
TCP/IP is not judged by how Google use it.
Bitcoin is not judged by how poorly Mt. Gox secured client accounts.
NOSTR cannot be judged by how well any application performs.
thanks for this. I am on the same page as you that nostr is not yet ready for the "normies".
On a different note, f u r struggling to sleep this paper may be your sleeping pill 😂
I don't have trouble sleeping, I'm a Bitcoiner, it's the normies that are all doomed 😂
I'm not going to read the paper anyway, but thanks for your concern.