Replying to Avatar calle

lol dude with all due respect but you sound like you don't know what you're talking about, if you do please talk clearly.

You don't give wrong privacy advice to people, that's irresponsible.
Avatar
Vitor Pamplona 1y ago

It's hard to compare the two because people usually oversee that Matrix Servers, SimpleX Servers, Signal Servers know who you are to perform the right access controls into your chat rooms. While no one else knows about your messages, the servers do have a LOT of leverage over their users. Any legal action can simply target the server operator, they can turn on several tracking mechanisms without your knowledge and then metadata privacy is pretty much gone.

The goal for the GiftWrap idea is to remove the need for Nostr relays to authenticate users into chatrooms. While everyone can now see GiftWraps being received, they still can't know anything else about it. And since the GiftWrap protocol uses multiple relays to pass messages around, it is extremely hard for any legal action against the server operator to break your privacy.

Now, of course, that all depends on compliant client implementations of the GiftWrapped DMs. Using the same protocol, a client can take the DM experience to such a privacy level (e.g. creating a new Tor session at each message to avoid IP tracking, minimizing nostr filter correlations, etc), that it becomes certainly better than Matrix, Signal or SimpleX. Enforcement wouldn't even know what to target to get your metadata.

Reply to this note

Please Login to reply.

Discussion

Avatar
SimpleX Chat 1y ago

I don’t think you can equate the amount of metadata available to Matrix and Signal servers with what is available to SimpleX servers - it’s actually less than what is available to Nostr relays users connect to. Putting them in one list, however flattering, implies a similar amount of metadata available, which is very far from reality and is misleading.

Avatar
Vitor Pamplona 1y ago

I agree, they are not the same. SimpleX is more private than Signal and Matrix for sure. But the protocol still grants a lot of info to the server.

While Nostr relays also have a lot of info from users, especially if you mix private and public events, a fully private client can make it so that the relay doesn't even know if the computer connecting to them is a user or a proxy. The relay doesn't know if a DM is new or not because date/times are all random. In fact, many GiftWrapped DMs transfers are different encryptions of the same message (or any other private Nostr event), all from random accounts, being broadcasted by bots to generate noise. It fact, that same private client can just transfer directly in P2P if the two phones are online and relays won't even know about it (which is my main use right now)

Avatar
calle 1y ago

I love this, thank you for giftwrap pilling me, I thought it's just a type of DHKE and symmetric encryption

Avatar
Vitor Pamplona 1y ago

I think GiftWraps are more like individual Tor messages that can include DMs inside them.

They have the "next node" address that is visible (a pubkey which can be the real one, an alias or a new key every time), but everything else is either random or encrypted.

The GiftWrap event can encrypt other GiftWrap events that together assemble be a full onion route with the benefit being that the final node is the client, not the relay. It would be like never hiting an exit node in Tor.

But we are on early days. I am still wanting for a real cryptographer to make sure our thinking doesnt have any holes in it.

Avatar
Newton 1y ago

Is there a fully private #nostr client, nostr:npub1gcxzte5zlkncx26j68ez60fzkvtkm9e0vrwdcvsjakxf9mu9qewqlfnj5z, as you talked about?

Avatar
Vitor Pamplona 1y ago

Not yet

Avatar
Newton 1y ago

Another curiosity, nostr:npub1gcxzte5zlkncx26j68ez60fzkvtkm9e0vrwdcvsjakxf9mu9qewqlfnj5z. Is the info Signal servers receive not encrypted? They say they store no metadata in their server. Is not that true in reality. Why is then Signal so much celebrated in the infosec community?

I'll be very obliged if you take your precious time to enlighten us.

Thank you.

1e
testtt 1y ago

Technically nothing prevents them from storing metadata on servers - only contents of messages are encrypted, same with Matrix. So, you have to trust Signal servers.

They also know your phone number 😅.

Signal is so much celebrated because it has great UX, large userbase, battle-tested encryption (WhatsApp is based on the Signal protocol) and it was the first.

Avatar
iefan 🕊️ 1y ago

Wow