Oddbean new post about login | logout > That is why NOSTR is great, has hundreds of volunteer relays that make difficult to track incoming messages and dozens of different clients to retrieve them that are E2EE without cryptographic doubt. Most public relays sync notes so private messages are extremely easy to track. You could just connect to one of the larger relays and listen for all notes by and npub hoovering all private dms. That's a massive hit to privacy. Gift wrapping helps, but does not guarantee this information won't get leaked when a single npub keeps requesting certain notes. On top of that if a client is using nip46 and possibly connected via relays, that same hoover can see when you attempted to decrypt a given note. Cloudflare proxying is also used for a majority of big relays. Most users will be connecting via clearnet and standard TLS connections leaking traffic and IP addresses. We are still working on better ways of improving forward secrecy because I believe there is still a possibility of ciphertext attacks with as much data that is available for a given user. Speaking as the author of the C reference for nip04 and 44 encryption.
plaintext attacks can only be possible if the message nonces are weak reuse of a nonce is absolutely out, as it enables a plaintext attack giftwraps already provide forward secrecy if the relay does not provide access to the events without auth proving the client is involved in the message exchange what we are missing at this point is good support of nip-65 mailbox support and delete event support
I'm speaking strictly to ciphertext attacks, where the content is highly predictable, nonce is known because it's public, and 1/2 of the shared key is available, although I doubt that's useful but still worth considering.
all of those things depend on repeating nonces, or as you mention, repeating pubkeys these are very easy to avoid, but maybe there is some programming languages that still make it complicated to access a strong CSPRNG more than a few instances in the history of bitcoin where dodgy entropy led to wallets being cracked and UTXOs stolen very often, propagandistic, opportunistic, manipulative "study" articles to avoid being in such a story make sure you understand the mechanisms well enough to know where it has weaknesses strong entropy, private random number generation is really central to all of the security of these things, just make sure you know the quality of entropy you are using before you inflict this shit on users haha
There are chances for improving those attack vectors: I2P connections between relays and between clients solves a good chunk, sending random noise every so often makes it even harder to know when to track. Clients don't need to talk only with main relays, they can ping hundreds for messages from an npub. What I don't see are realistic ways to improve SimpleX. Where are the hundreds of relays run by volunteers with dozens of relay implementations and dozens of clients? They don't exist, and won't exist. We both know that. NOSTR is still our best shot that can, and will be improved.
I'm speaking to the current situation. Were moving toward a better solution, but out of the box I find it hard to imagine nostr currently, and even in the near future is a more secure solution to PRIVATE messaging than SimpleX and I read the white paper a while ago and don't remember most of it XD
I've read the protocol of SimpleX too, but maybe my previous posts were not clear enough: I'm not saying the encryption is weak. I'm saying it is really easy to feed spoofed apps to target users that bypasses completely any algorithm. You don't even need 5 USD. https://image.nostr.build/c1b4cda7ee268680b9cae99543d03b753d13abda18ad09108195248fdfca795c.jpg
