Oddbean new post about | logout
 Hey @Vitor Pamplona can we get a new application option to help combat potentially leaking IP addresses via image loading? Maybe add a following only option here? So that we can always load images from people we're following. Thanks.
https://i.nostr.build/Pd48.jpg#m=image%2Fjpeg&dim=1080x2400&blurhash=%5B02O%7CsNFD%25xu%3FHM%7B-%3Bxut6M%7B%252xut6M%7C%25Mxt%7EqM%7CD%24t7oeM%7B-%3Bt7-%3BM%7Bt7t7xuM%7B%25Mt7_3M%7BIUt7&x=efbb1ebe1e2ab671cc6816d40b9202649f11a43c0304dbd48959fe936a14a8de 
 Could even have some other sort of icon on their avatar.... If an account posts their own nsec? 'potentially compromised'. Maybe that is unnecessary 🤔 
 Several clients use imgproxy to speed up image loading and prevent ip leaking (except to the imgproxy server). 
 correct - but seems image url in DM can bypass image proxy settings maybe. 
 This may be a bug 
 i👍f this can be done outside of DM also then sure it is not an "good thing" when comes associating IP<->npub  - DM handshake is special case
 
 This is a good alternative to my solution. I like it. I'm good with either one here. 
 We tried this and fully disabled it. The proxy just becomes a massive centralization point which I truly think it goes against the decentralization goals of Nostr.  
 Eh, it's only centralized if all clients use the same image proxy server. If all clients use their own it's not a big deal, IMO. Also, give users the ability to turn it off like Snort does. 
 I don’t know if this has to do with that interesting new account or not and the funny url that was DMed out. 

I don’t know if images from followers is the best approach. 

Right now so many services have your IP and even your followers might find a url or repost something from a non follower that is from a honeypot web server. 

The weird url link that was DMed to me has 2 attributes, my npub and some crc value that is provably a hash or some part of the npub or something. 

I’d say a good start is that any url or image that might have your npub (or anyone’s npub) should maybe have an option whether to load it or not. I’m sure clients can identify a suspicious url and filter. 
 I can just send you a URL there 1.2.3.4/file10.jpg and enter into a local DB that file10.jpg corresponds to this npub DM. Their method was just for easy scripting. 
 most app default settings - keep images blur/ not load from global aka "not following npubs"
nothing special needed except user education/awareness for now
everyone donot click READ from unknown npubs in DM when u dnot wanna reveal current exit IP <-> npub until u turn some condom like tor/vpn/proxy
  
 if you open the notification tab, the image loads there too. Not just in the DM tab 
 Correct. This change should also apply to notifications and be a blanket change across the application. If following load image, if not following display text image link. 
 key point sending "signed npub" to an image or any file server to associate it with any exit IPs (which are always loaded in any server)
 
 Probably easier and more intuitive to normies if all images were just blocked and you can click to show pics each time.

Chances are that their following list isn't audited well, and they might even prefer to be more selective about image loading. 
 As long as this can be turned off via settings and a toast notification told users to do this the first couple of times, sure. We don't want to make things too complicated for non technical people. 
 Yeah, when the feature is turned on of course.

I mean when it comes to familiarity and ease, block all images exists today (Gmail) but allow from trusted users only is not as widely found and relies on your following list to be your trusting list too. 
 We can try. I don't think it solves the problem but it can minimize it.  
 Thank you sir.