Oddbean new post about login | logout Huge milestone: First demo of Nostr Web Services (NWS) bringing TCP to Nostr. With NWS, you can host any existing web application on Nostr without having to use DNS or even announce your public IP to the world, simply by sharing your service's npub (or nprofile). Try it out the demo yourself. Here is a Cashu test mint running with NWS. Let's use curl to retrieve the mint's information. The request travels from your computer to the public NWS entry relay, then through nostr to the service's NWS exit relay. At the other end is a Cashu mint with HTTPS encryption. ``` curl -s -x socks5h://relay.8333.space:8882 https://nprofile1qqs8a8nk09fhrxylcd42haz8ev4cprhnk5egntvs0whafvaaxpk8plgpzemhxue69uhhyetvv9ujuwpnxvejuumsv93k2g6k9kr/v1/info --insecure | jq ``` https://m.primal.net/JTMl.png I can't stress this enough: THE MINT RUNS BEHIND HTTPS! The NWS entry relay can't read your traffic. It's encrypted. We can host public entry relays that can be used by anyone. This means we can plug the entire internet to it ðŸŒ. Let's plug it into Cashu for now. Nutshell wallet supports socks5 proxies (that's how it uses Tor). By setting the public entry relay as the proxy, the wallet can now connect to a mint's npub/nprofile and communicate with it via NWS. https://m.primal.net/JTot.png This is going to be so freaking cool. And it's going to be a lot more useful than just for Cashu. There are still bugs and issues that need to be ironed out but the code is coming out soon. Watch this space.
it's cool, but what problem does this solve?
I’m excited about you being excited because the rest went over my head!
Same. Can I see it in a browser? I love what, I believe to be, the premise. Looking forward to seeing it come together.
--> "Nostr Web Services (NWS) brings TCP to Nostr. With NWS, you can host any existing web application on Nostr without having to use DNS or even announce your public IP to the world, simply by sharing your service's npub." <-- nostr:note12vy8lmphxyfd7np7t503k8fzs3em2h6szfwad0fkgr6prjkjuhxsddyprj
NWS - Nostrich routing
So if you use a nutzap to pay for a relay, you can pay with nuts to use your nuts. https://m.primal.net/JTqE.png
Are there any NIPs or technical writeups on this?
I think it will become clearer once the code is released.
Are you saying we can provide anonymous web services on Nostr?
Sounds so cool. Can't wait to host my site with this. Not sure if I get how it works without a domain name yet, but looks powerful.
I’m trying to move away from https certificate authorities and inflatable monies, but you do seem like a pretty cool guy calle! ðŸ‘ï¸âš¡ï¸ðŸ‘ï¸ I think you’ll love the decentralized web component we’ve got cooking for Nostr. Just need a little more time. 👨â€ðŸ³
Ok now this is truly a game changer!
Is the communication wrapped as ephemeral nostr events or is it some other way?
So Nostr web service accepts an npub and returns content from an IP address? Or, is the content a note stored on a relay?
Storage of money v1
👀👀👀👀👀👀💪 nostr:nevent1qqs9xzrlasmnzyklfsl968cmr53ggua4tagpyhwkh5mypaq3etfwtngpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsygzsm98u9kzcp35zkpc62shck8335gqtq5yt4w26xwl0pp2a72qavvpsgqqqqqqslacsxw
yep ðŸ‘
Good bye Tor, it's been a great ride.
tell Stuart to HFSP, @gsovereignty
The US Navy and glowies will be crestfallen. https://m.primal.net/JTxG.jpg
Boom!
👀
This is amazing! I wonder if a privoxy rule will match a hostname starting with npub and nprofile and forward it to the socks5 relay like it does with .onion hostnames
This seems huge... nostr:note12vy8lmphxyfd7np7t503k8fzs3em2h6szfwad0fkgr6prjkjuhxsddyprj
Great, now the media will call Nostr the “Dark Web.†😂
It’s not?
We’re all on a list now.
We're not here for the memes and to whoever created listr, thank you!
Wait, you guys weren't on the list already?
🤯👀🥰🔥👌🼠nostr:nevent1qqs9xzrlasmnzyklfsl968cmr53ggua4tagpyhwkh5mypaq3etfwtngpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsygzsm98u9kzcp35zkpc62shck8335gqtq5yt4w26xwl0pp2a72qavvpsgqqqqqqslacsxw
Does that mean the mint is on the phone? 🤔 nostr:nevent1qqs9xzrlasmnzyklfsl968cmr53ggua4tagpyhwkh5mypaq3etfwtngpr4mhxue69uhkummnw3ezucnfw33k76twv4ezuum0vd5kzmp0qgs9pk20ctv9srrg9vr354p03v0rrgsqkpggh2u45va77zz4mu5p6ccrqsqqqqqpgvphdr
So basically the HTTPS encryption is based not on certificates but on nostr keys? Therefore the relay cannot see the content of the connection?
It's normal https based on SSL. Otherwise it wouldn't work with anything other than custom software.
So you still need to use certificates and be bound to certificate authorities, unless you use a self signed one and trust it? So basically this is "only" (I mean it's a lot) an alternative way to reach a web site? And does the website still need to have a public IP or is the NWS component "pulling" the connection from the relay somehow?
Obviously the browser will complain about the hostname not matching the certificate.
It will match the hostname: you visit google.com, you get google's cert, but the traffic goes over nostr (through a socks proxy).
Oi #nostr Finally!!! It's time to run a Twitter clone... Yes, I'm shitposting. nostr:nevent1qqs9xzrlasmnzyklfsl968cmr53ggua4tagpyhwkh5mypaq3etfwtngprfmhxue69uhhq7tjv9kkjepwve5kzar2v9nzucm0d5hsygzsm98u9kzcp35zkpc62shck8335gqtq5yt4w26xwl0pp2a72qavvpsgqqqqqqs9se2ql
nostr:nevent1qqs9xzrlasmnzyklfsl968cmr53ggua4tagpyhwkh5mypaq3etfwtngpzpmhxue69uhkummnw3ezumt0d5hsygzsm98u9kzcp35zkpc62shck8335gqtq5yt4w26xwl0pp2a72qavvpsgqqqqqqsf90eee
Whoa mama. Holy shit. nostr:note12vy8lmphxyfd7np7t503k8fzs3em2h6szfwad0fkgr6prjkjuhxsddyprj
Can someone pls ELI5? 🤷â€â™‚ï¸
hope this helps nostr:note1uk728fkpgt8qqe2a9gylc9af5e4kjkyr05f3c04zpv8jgzwu9s6qpks74v
And I presume dedpluication on the exit nodes is done as per any nostr client would?
so theres a nostr based name resolution in the relay side? And you need to announce the relay that host the webapp (that most probably has his static ip)? That seems to reimplement dns on upper layer, doesnt go beyond it. Or I lost something? If I correctly understood, I see two advantages here: 1) every npub can sign their own entry on the hash-table to be reachble without requiring third party dns-like trust. 2) ip static decorrelated from webapps for a better censorship resistance.
The current design is for internal "nostr services" only which doesn't need name resolution, the npub is the target. In the next stage, it will allow connecting to the Internet at which point the DNS resolution at the entry node must probably be intercepted and replaced by the npub of the exit relay.
I love it!
I can already do this using holepunch tech.
Nostr wins.
If I figure out how to do this myself I’ll eat an entire chocolate cake to celebrate.
same
I might eat it anyway.
Sounds cool don’t understand it all but I know it’s important! Keep up the good work!
Explain like I'm 5
Feels like #nostr killing #tor to me - anybody have the same impressions? nostr:note12vy8lmphxyfd7np7t503k8fzs3em2h6szfwad0fkgr6prjkjuhxsddyprj
👇👇👇Cool beans.👇👇👇 nostr:nevent1qqs9xzrlasmnzyklfsl968cmr53ggua4tagpyhwkh5mypaq3etfwtngpzpmhxue69uhk2tnwdaejumr0dshsygzsm98u9kzcp35zkpc62shck8335gqtq5yt4w26xwl0pp2a72qavvpsgqqqqqqsgazm40
> you can host any existing web application on Nostr in what sense? it looks like this is just a proxy for notes, couldn't this be achieved with a simple https server + api? plz explain ;_;
Magic beans.
I don't understand the question. What's a proxy for notes? Http server + API? Check the curl command.
Its amazing watching what looks like the birth of a whole new internet. I'm pumped! nostr:note12vy8lmphxyfd7np7t503k8fzs3em2h6szfwad0fkgr6prjkjuhxsddyprj
Can you give a rundown of how this actually works? I am struggling with so many parts… What does “bringing TCP†have to do with http hosting? They are two totally different layers. How is data actually hosted? *is it hosted*? Or just relayed from an actual http host? Is this what you mean by TCP? That the relay will relay socket data? That’s… questionable… could lead to all sorts of misuse? Thoroughly confused.
It's tcp. Http just runs on top of that. It's a web service like any other web service. Except it's only reachable via nostr.
So.. we can build websites that cannot be taken down now, if I'm understanding correctly? When thepiratebay on nostr? 😀
This is big 🤯 Nostr is not for social media. It's the ENTIRE web 🌠As the old web drowns in waves of AI generated spam, only Nostr will survive. A web without centralized choke points. A web with authenticity where every note is signed. A web that's machine payable by default. Buckle up amigos. We're sailing to the new world much faster than I realized. Feeling lucky to be alive to witness and be part of this! 𓅦 🚀 ⚡⛵ nostr:note12vy8lmphxyfd7np7t503k8fzs3em2h6szfwad0fkgr6prjkjuhxsddyprj
https://m.primal.net/JUNR.png
It shall come soon sir
I'm forwarding every single sat to the Cashu dev working of this project.
Sounds incredible. Bullish af. Appreciate you ser 🫡
> bringing TCP to Nostr I'm not quite sure what this means. Client-relay communication is accomplished via WebSockets, which is built on top of HTTP, which is built on top of TCP. So we're building TCP on top of TCP?
technically, websockets are just a way to switch to TCP after starting with HTTP
So...still TCP on top of TCP 🤣
I get the significance of web service discovery through relays (which seems to be what this NWS is?), but I'm scratching my head wondering if Nostr is the best tool for solving the problem.
nope, it's raw you have to manage your own pings, it's in the spec but you have to handle making and receiving them and timing out connections oh yeah, they can manage configurable compression options, that's automated, i don't think there is very much other than this
https://datatracker.ietf.org/doc/html/rfc6455 i'm gonna sit and read this, and i think you should too, because we use this all day long
Conceptually, WebSocket is really just a layer on top of TCP that
does the following:
o adds a web origin-based security model for browsers
o adds an addressing and protocol naming mechanism to support
multiple services on one port and multiple host names on one IP
address
o layers a framing mechanism on top of TCP to get back to the IP
packet mechanism that TCP is built on, but without length limits
o includes an additional closing handshake in-band that is designed
to work in the presence of proxies and other intermediaries
https://datatracker.ietf.org/doc/rfc9220/ this might be interesting too... it's basically reworking websockets to work over QUIC transports (which is UDP @ChipTuner @Michael J )
yeah, it's basically the same as TCP except, mostly, the rigmerole of handshake and disconnect, and that you can send either binary or text frames, everything else is optional... maintaining a ping to detect loss of connection is application level, but conventional
Thanks for this! Gonna give it a read.
there is a version for QUIC/HTTP/3 https://www.rfc-editor.org/rfc/rfc9220.html one big difference is that http/3 has built in scheme for multiplexing connections so this is quite cool for nostr as it means you could auth on one stream and bind it to the multiplexed connection and not need to auth for each stream - most clients start up multiple sockets, 2 or 3 at least often sit open for an hour or more if you walk away
A crappy VPN really. There is a reason VPNs use UDP datagrams
i think the thing is that the nostr should just be a weakly consistent data store for relay and service addresses creating tunnels should definitely stay on another protocol layer
%100!!!! The amount of crazy stuff I never though was possible just by having publicly available database secured with some math is unreal. An extremely solid spec to just focus on that ability and were living the dream!
yeah, it's really important to keep domains separated, i'm sure you know well what happens when you write code that handles too many contingencies and then you realise you forgot one and it breaks the whole thing when it would have worked better if you made it into a layer cake with simple parts that are related in each layer and passing data between the layers to enable the complex behaviour
schematic of how NWS works https://m.primal.net/JUSZ.png nostr:note12vy8lmphxyfd7np7t503k8fzs3em2h6szfwad0fkgr6prjkjuhxsddyprj
Soo, it's like TOR? How does NWS route the request through its web of relays? In other words, how does the entry node know which NOSTR relay is hosting the nprofile service?
This is a pretty cool hack, I loved it! But if the goal is to keep the server hidden from the public internet, wouldn't it be easier to link a .onion address or something alike in the kind 0 event? Seems more efficient and less spammy to relays
This is huge indeed !! Need to study that more deeply. Thank you
Anyone interested in this needs to know that you can do this with Holepunch: https://holesail.io/ nostr:note12vy8lmphxyfd7np7t503k8fzs3em2h6szfwad0fkgr6prjkjuhxsddyprj
🥕 🥕 🥕 🥕
It works. On a mac. Out of the box. 😳 curl -s -x socks5h://relay.8333.space:8882 https://nprofile1qqs8a8nk09fhrxylcd42haz8ev4cprhnk5egntvs0whafvaaxpk8plgpzemhxue69uhhyetvv9ujuwpnxvejuumsv93k2g6k9kr/v1/info --insecure | jq { "name": "\"Cashu NWS mint\"", "pubkey": "0296d0aa13b6a31cf0cd974249f28c7b7176d7274712c95a41c7d8066d3f29d679", "version": "Nutshell/0.15.3", "description": "\"This Cashu test mint has no public IP address and can only be reached via NWS powered by Nostr\"", "contact": [ [ "", "" ] ], "nuts": { "4": { "methods": [ { "method": "bolt11", "unit": "sat" } ], "disabled": false }, "5": { "methods": [ { "method": "bolt11", "unit": "sat" } ], "disabled": false }, "7": { "supported": true }, "8": { "supported": true }, "9": { "supported": true }, "10": { "supported": true }, "11": { "supported": true }, "12": { "supported": true } } }
that's the idea!
--insecure
any minimal working sample websites hosted like this yet?
Great thing for the next web ðŸ‘
Is there anything preventing the NWS relay from doing a MITM attack? I guess you could take the result from curl and check the nostr signature, but curl alone is unsafe right?
Don't all nostr relays use DNS? How do you bootstrap around that?
Unpopular opinion: Absolutely terrible idea Nostr-web-services is just ngrok / cloudflared with extra steps and more concerns about safety. 1. The things you expose are public; hackers can find you and see whatever you are hosting. 2. You DO NOT OWN your web service if the name servers are not under your control. Whoever owns the name server is the prime authority, and they can inject whatever they want into your website. Imagine out of 10 relays, even one of them injects your website with a code to steal passwords and you happen to use that relay (YOU ARE COMPROMISED!!) It is as dangerous as port forwarding / dynamic DNS with extra concerns about integrity. When I say "as dangerous as port forwarding", I think I am explaining it casually, but in reality, this is far more dangerous and concerning. Just two days ago when I was looking into issues with port forwarding / dynamic DNS / Nostr-web-services, I discovered: 1. THREE THOUSAND (3k!!!!) Tesla with open information about their home coordinates, their kid's school, drop location, their workplace, their exact address, if their Tesla is active or not. 2. 6K + Camera with a full recording of the whole month, installed in people's personal—-BEDROOM--, baby monitor. There is no excuse for self-hosting irresponsibly; it should be done to increase your privacy and security, not to increase the risk. Holesail provides a way to achieve this peak self-privacy and security. You expose only what you 🫵 choose, and only the person you want can access it, with no chances of a man-in-the-middle attack from a random relay and their DNS hosting. I like how enthusiastic people are about Nostr and Nostr-based services, but we should NOT overlook the security and risks some of these ideas might bring! https://m.primal.net/JWdi.png @TheGuySwann nostr:note12vy8lmphxyfd7np7t503k8fzs3em2h6szfwad0fkgr6prjkjuhxsddyprj
I started with $1000 and, after just 6 hours of investing, I was able to turn it into $6,000. This opportunity is completely legitimate and safe to invest in. I am grateful to my coach who helped guide me through this process. If you are interested in seeing similar results, make sure to DM him now and start earning.
Cashu wallet mobile connected to a personal cashu mint via Nostr Web Services. No need to connect your own node over Tor. Mobile device only has access to a subset of the funds. Could this provide a better self-sovereign mobile lightning experience? nostr:nevent1qvzqqqqqqypzq5xeflpdskqvdq4swxj59793uvdzqzc9pzatjk3nhmcg2h0js8trqywhwumn8ghj7mn0wd68ytndw46xjmnewaskcmr9wshxxmmd9uq3vamnwvaz7tm9v3jkutnwdaehgu3wd3skuep0qqs9xzrlasmnzyklfsl968cmr53ggua4tagpyhwkh5mypaq3etfwtngrn76dh
watch me blossom you sad hater
ah yes, intellectual words of wisdom
bro. calm down. stop harassing me. you're a good dev, just keep doing what you're doing. what's up with all the hate?
look. this is the first time I'll engage directly with you as a person, and it's also the last time if nothing comes out of it. I remember you joined the Cashu channel with a lot of excitement and great ideas around a year ago. you were positive, supportive, helpful to others and shared your knowledge with everyone. at some point, there was a conflict with nothingmuch which had nothing to do with you, you weren't even involved in the situation. just a bystander. however, you decided to completely flip in that moment, rage quit the channel, and from that day on, you kept reappearing and spreading hate, fud, and stupid insults. it's so tiring and cheap. I never interacted with you that whole time. today I have a great relationship with nothingmuch, we discussed what happened and got over it like normal people. we do seminars together now. we work on shit. so I'm telling you this to make it clear, whatever the fuck your beef is or was, there is no need for it. if you want to engage in a constructive way, I'll be happy about it. I think you're a capable and smart dev with very interesting ideas. more people should learn from you and know about your work. however, if you keep insisting on hateful communication, I'll just resume back to ignoring you and return back to complete indifference. I would prefer the former.
