Nostr Web Client

Yesterday, while working on my authorization server for my relay, I was wondering :

What would happen in clients if a #nostr #relay were to spoof some events.

Example :

Alice sends an event to relay B and C, let's say a simple "Hello world".

All relays accepts the event and stores it. However, relay C modifies the content of the event. When referring to the note, the content relay C would return would be "Hello Satoshi".

Therefore, a client connecting to those relays would receive two different events with the same Id.

How clients would/should behave ?

Reply to this note

Please Login to reply.

Discussion

Asone 2y ago

C.c nostr:npub180cvv07tjdrrgpa0j7j7tmnyl2yr6yr7l8j4s3evf6u64th6gkwsyjh6w6 nostr:npub1gcxzte5zlkncx26j68ez60fzkvtkm9e0vrwdcvsjakxf9mu9qewqlfnj5z ?

Vitor Pamplona 2y ago

The modified event would fail the hash and signature checks and be discarded.

Asone 2y ago

Is it done for all events received on the client side ?

Vitor Pamplona 2y ago

On Amethyst, yes. Other clients might not do it.

fmar 2y ago

On nostr:npub1gp4xzpmluelsakjtayc4wtzj97fhj5kakqjvsannu00xkdlf4x8s0xdqyq also yes.

Asone 2y ago

I know the event hash is a sha256 of the serialized event, however in above example, relay C would obviously compute the hash from original event before storing a modified version of the content but with the original hash.

Do clients already performs checks onto the received events to ensure the content is legit ?

Viktor Vsk 2y ago

Modified events are invalid. Clients which not validate events can hardly be called “nostr clients”

Selim 2y ago

The event’s property `sig` is the 64 bit signature of the hashed stringified event. It is obtained by signing with the author private key. A relay couldn’t simulate the sig value. And clients should verify ˋcontent` versus `sig`.