Unpopular opinion: Absolutely terrible idea
Nostr-web-services is just ngrok / cloudflared with extra steps and more concerns about safety.
1. The things you expose are public; hackers can find you and see whatever you are hosting.
2. You DO NOT OWN your web service if the name servers are not under your control.
Whoever owns the name server is the prime authority, and they can inject whatever they want into your website.
Imagine out of 10 relays, even one of them injects your website with a code to steal passwords and you happen to use that relay (YOU ARE COMPROMISED!!)
It is as dangerous as port forwarding / dynamic DNS with extra concerns about integrity.
When I say "as dangerous as port forwarding", I think I am explaining it casually, but in reality, this is far more dangerous and concerning.
Just two days ago when I was looking into issues with port forwarding / dynamic DNS / Nostr-web-services, I discovered:
1. THREE THOUSAND (3k!!!!) Tesla with open information about their home coordinates, their kid's school, drop location, their workplace, their exact address, if their Tesla is active or not.
2. 6K + Camera with a full recording of the whole month, installed in people's personal—-BEDROOM--, baby monitor.
There is no excuse for self-hosting irresponsibly; it should be done to increase your privacy and security, not to increase the risk.
Holesail provides a way to achieve this peak self-privacy and security. You expose only what you 🫵 choose, and only the person you want can access it, with no chances of a man-in-the-middle attack from a random relay and their DNS hosting.
I like how enthusiastic people are about Nostr and Nostr-based services, but we should NOT overlook the security and risks some of these ideas might bring!
https://m.primal.net/JWdi.png
@TheGuySwann
nostr:note12vy8lmphxyfd7np7t503k8fzs3em2h6szfwad0fkgr6prjkjuhxsddyprj
I wouldn’t call it a wholly bad idea, but it is one that has a much better and more secure alternative with the pear stack, and so I think it is an unnecessary risk, but also really cool that it can be done at all.
It just has me super bullshit on the fact that we will be decentralizing the provision of web services in a whole new way, and nothing can stop us! 🔥🔥
We need a Pear powered web browser and/or an extension for existing browsers to access a new network protocol. Something like pnp://exampleSite (pear network protocol) or p2p://exampleSite. We could use this in place of http:// and not need to rely on a third party DNS server.
Anything like this in the works?
Not currently at the moment but Holepunch plans to make a whole Operating system for peer to peer, so in the long run yes.
it's https.....
there is no nameserver.....
it opens a port the same way as ngrok....
sigh...
and we dont have password here!
and we're not paid by the pear people!
I am aware, that is why I am against both port forwarding and dynamic dns
The URLs , whoever control the relay domain / url , they control the web service.
you don't understand how this works
There is a proxy in between, from your example: socks5h://relay.8333.space:8882
That transfers all the control to this proxy alone, they get to choose what and how they want to display 👀
If it is someone with malicious intent, they will do whatever they want.
it's end to end encrypted, so no.
curl -s -x socks5h://relay.8333.space:8882 https://nprofile1qqs8a8nk09fhrxylcd42haz8ev4cprhnk5egntvs0whafvaaxpk8plgpzemhxue69uhhyetvv9ujuwpnxvejuumsv93k2g6k9kr/v1/info --insecure
This command makes a request to relay.8333.space:8882 with a profile key; it is up to the server to decide if they actually want to serve the real content; they can just swap it out for something they run themselves (pretty much how pi-hole works by swapping DNS of ad agencies to trash), and the certs are self-signed.
You would never know if what you see is actually coming from your own host or has been altered.
this is a demo. you can just as well download the cert and tell curl to use that to verify.
you'll be convinced once I demo an ssh session on nws
how I do ssh:
https://github.com/bitfinexcom/hypertele
Holesail uses Hypertele but combines it into an importable npm package.
Actually no, it is inspired from hypertele but is a separate package with a lot more features.
To expose SSH just do: sudo holesail --live 22
ha, posted at the same time lol
you mean they create their own version of hypertele using DHTs, rather than hypertele directly?
Looking forward to it mate, no hard feelings I am just worried about the security issues with this system.
Even if it is a demo, it uses a relay which is a proxy. Proxies can change content, or the host itself
If you hosted through this method, it would be publicly visible, (like any web service) just only through the Nostr network, what service/application you are hosting, correct?
(Also how do you do https without downloading and trusting a certificate? 🤔)
yes, only one service. it would be insane to expose the entire host.
you can just get the cert out of band, that's not the hard part. it could be published by the service as a nostr message for example.
Only when the relay decides it, it can inject whatever it wants
Check out Cloudflare Zaraz; it injects the website with whatever content you like because they have the domain with them. (The NS)
Similarly, Ad and tracking agencies dynamically insert ads into the website without ever touching their main code.
It is https, but the certificate is not yours, and neither the origin server, they can insert whatever they like.
of course the certificate is mine, I generated it
Oddbean new post about login | logout 