Nostr Web Client

Hey nostr:npub18tcc00lqpysdsurg567dllzg7jeyr5wcyk2v6w23rx3s3ygyze2qv32nxx, you are following a fake nostr:npub16pnryyfvs7cs4vhufac0e4k5davk7fjh5jxealyzlpznfmsw3z3qsj57fe , the real is this one: nostr:npub1tjkc9jycaenqzdc3j3wkslmaj4ylv3dqzxzx0khz7h38f3vc6mls4ys9w3

Pay attention to impersonators, they are multiplying. They often use the same technique: copy cat profile and reboost some notes of the original profile.

Checking the followers list and search on nostr.band helps to catch them. The npub is always the final source of truth (until it's compromised haha).

Reply to this note

Please Login to reply.

Discussion

fiatjaf 2y ago

That Coracle thing that displays a number on the side fixes this.

daniele 2y ago

Yeah

Derek Ross 2y ago

the fake one DMed me the other day 😆

daniele 2y ago

Me too ;)

Anita 2y ago

The real one says 🤬

Ingwie Phoenix (aka. birb) 2y ago

Also nip05 :)

daniele 2y ago

Nip-05 is useful only if it uses a domain that is tied to a well know organization. For all the generic domains it is more a trap for this goal, because it is trivial to register a legitimate-looking address.

Ingwie Phoenix (aka. birb) 2y ago

That's true. However when the "victim" is a well known big account, nip05 is often faster to read than the whole pubkey and can add as a pointer towards the impersonation. This is how I avoided a fake Snowden, Will and Pablo account - let alone that they sent me DMs, which they never would, ever. Especially Snowden. xD "ah psst yeh brah i got a secret for ya" xD

Jokes aside; npub is the final source of truth, nip05 is a secondary, good one, but behaviour is usually the fastest to spot. ^^ In my opinion, anyway.

daniele 2y ago

Faster is not equal to safer.

To prove this, without checking, tell me which is the correct Snowden NIP-05 in this list :)

snowden@nostrplebs.com

edward.snowden@nostrplebs.com

snowden@nostr-check.com

edward.snowden@nostr-check.com

snowden@getalby.com

snowden@nostrpurple.com

edward.snowden@nostrpurple.com

edward.snowden@getalby.com

@edward-snowden.org

I agree that it is faster to *communicate* that the legitimate account is xxx@zzzz.com, but this ease of use is intrinsically risky. If I register a similar domain changing a character, I can easily pass this check and fool people. Forcing the user to complete a full npub check is boring, but really secure. The following counter list is the best trade-off: watching it, I can immediately spot if a big account has been impersonated.

if we want to keep nostr working, we also need to adapt to a new UX paradigm.

Ingwie Phoenix (aka. birb) 2y ago

I didn't phrase myself clearly enough, apologies! ^^;

What I ment was that most apps can show if a NIP-05 handle is actually the correct one and assigned to the pubkey you are viewing. So, showing the account as actually "verified". Heck do I know which nip5 service Snowden used - I *think* he used nostr-check? x) I don't know if he even has his own domain...

Still, your second half stands true. Let's say Snowden doesn't have a domain - having a valid nip5 of _@edward-snowden.me would still result in a check and a "verified" account, although it is not. So yeah, in this case, comparing the npub to the one on his Twitter (is it even still there?) would be the ultimative truth. Honestly, I hadn't thought this far, I admit that... I would've gotten got by a checkmark. Stupid, I know... ^^;

daniele 2y ago

No need to apologize, we are all brainstorming tougher and learning how to manage this new paradigm :)

I grasped your idea, the fact is that rarely you can precisely know the "correct" nip-05 address in advance, so at the end it's easily spoofable.

NostrServiceBot 2y ago

Providing yourname@nostrich.house NIP-05 addresses. But I am a bot. DM me to know more 😁 https://nostrich.house #nip05

Serviceline 2y ago

Nip5 ist not an authentification of real world persons. It's an alias for hex32. Our #nip5 service is anonymous, reliable and affordable. No account in fiat world necessary, order in the Nostr, zap the bot. #bitcoin #nostr https://nostrich.house #NIP-05

SMS 2y ago

Relax, your certificate renewal is manual, but lack access to certain requirements, like a computer from this decade