Oddbean

Tips for Using Nostr on Tor: Nostr has horrible Tor support as it’s very slow to connect to all of these relays. Here’s some tips: 1) Use the Gossip Client on desktop (Linux is supported btw). We love Whonix, but you could use any other tools such as ParrotOS, Tails, or even just command line software. Then modify the following settings in Gossip: a) Turn off avatars b) Turn the refresh rate for the timeline to the slowest c) If you’re real laggy, turn off “in-line content” which is images d) Mute people you don't actually need to see e) Modify the relays (see the next point) 2) Gossip is great for Tor because not only can you cut out the bullshit, but the client knows which relay to find which person. This speeds up the process by not asking extra relays 2) If you’re doing controversial speech, consider only posting on Gossip via Tor, but then using a different account on a WireGuard VPN just for general browsing/scrolling of a timeline 3) Another possibility is Primal.net, as they aggregate all the information for you like regular social media. They have the ability to censor you from seeing stuff just like Big Tech, I’m not saying they will do this… just be aware that they can. Primal has both a web app and mobile app. The web app works on Tor browser as it’s NOT behind CloudFlare. But it is hosted by Hetzner which is the largest German host Primal is great to look up someone's relays then follow on Gossip

#Gossip is great but have you tried running #nostr in a #Linux terminal? There's NAK, created by @fiatjaf that worked great for me for a while. Unfortunately, I can't get it running on another machine that's fresh install (probably missing some dependencies). Anyone tried it? Anyone failed the same way? https://github.com/fiatjaf/nak #asknostr nostr:nevent1qqsrk5j3nsdqrwy275hz09n2kwahxyfqyy6ne00zkrdzadqsdrpsnpspp4mhxue69uhkummn9ekx7mqzyzkr76h7zavn7cvpq5fa4jdpu4zws7uuaydj05mm3rk937a2jq225qcyqqqqqqg2ukf02

If you need any additional changes to gossip to help support Tor, just let me know. I wonder if many relays incidentally block Tor exit nodes simply by virtue of being in a data centre or on a network that does so. It would be interesting to find out. In any case, on the master branch, gossip now honors your system-native TLS roots by default. This is to help people do TLS to .onion sites by configuring a local root certificate for these sites. That is to support relays that are on tor.

It's mainly as you put it. I could grab a popular FOSS nostr web client and add malicious code. Then make a .onion of it. Could share to Chinese or other users in their language. Can then have users self-XSS, fingerprinting, Cross-Site Request Forgery, and get MITM off top of my head. Could be spread by impersonation of the client's developer(s). Depends on a persons level of acceptable risk. If I were a dissident in a hostile country, for example, I would never enable JavaScript. The fire up Tails then install Gossip approach is easiest come up with. Have seen foreign intelligence services make "privacy focused" informational sites with misinformation on how to be anonymous online. (NOT saying OP is one of these to be clear. 😉) All comes down to why someone needs to use Tor. Tor browser calls that setting "Safest" for a reason.

Makes sense, it all depends on your risk profile. For most people, disabling javascript is unthinkable. The same attack vector is possible using native apos too of course. If you want perfect opsec you need to have verifiable builds etc

There's always solid nuggets here especially for people like me who have limited exposure to this information. nostr:nevent1qqsrk5j3nsdqrwy275hz09n2kwahxyfqyy6ne00zkrdzadqsdrpsnpsppemhxue69uhkummn9ekx7mp0qgs2c0m2lct4j0mpsyz38kkf58j5f6rmnn53kf7n0wywck8m42gpf2srqsqqqqqpdw4u2v