Oddbean new post about | logout
simplex | 3 months ago (raw) | root | parent | reply | flag +29 
 We love Nostr as a publishing platform that offers unparalleled censorship resistance. But NIP44 does NOT provide most of the important qualities of e2e encryption:

- break-in recovery.
- repudiation (deniability).
- visibility of connection graph to observers.
- fixed message sizes (although it can be provided by the specific app)
- resistance to Shore algorithm (PQ encryption).

It's unclear whether it provides forward secrecy, but the spec implies that it does not - I might be wrong here.

We wrote this post about the qualities of e2e encryption and why they are important: https://simplex.chat/blog/20240314-simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm.html
Vitor Pamplona | 3 months ago (raw) | root | parent | reply | flag +11 
 NIP-44 is just the encryption. The DM protocol is NIP-17 with NIP-59 and NIP-44. No one uses NIP-44 by itself for messages.

1. NIP-44 has padding for fixed message sizes. 2. NIP-17 DMs is giftwrapped by ephemeral keys in public, so repudiation/deniability is provided as well. Gift wraps can even use random alias keys as receivers. 
3. The connection graph is not visible unless the NIP requires it to. 
4. Break-in protections exist on the wrap. Breaking individual messages does not reveal the main nsec of the Nostr user. The only way the break-in can work is if the attacker gets the long term key or seed, which is also a problem for other E2E apps.
Patrick | 3 months ago (raw) | root | parent | reply | flag +2 
 Also nostr:nevent1qqswtluezhnlywfk5m4z5wzywyemfc9dmcceejlavnsqnhf2ttgks3gpyamhxue69uhkymmnw3ezuenjv4jhxur9v43kstnrv9ekztelv93kxatjv96x20f3qgswmdrsyuff0tz6v8e80u7dzn09f3n7khxdyrhsm80jn0scdpdmqpqrqsqqqqqpfj9dl7
Bashee Von Newmann | 3 months ago (raw) | root | parent | reply | flag +1 
 Excellent post!
Green Sheep | 3 months ago (raw) | root | parent | reply | flag 
 No, but it's a very similar design with relays. Nostr has largely failed to provide a private and secure DM protocol so far so that should be a good thing. nostr:nevent1qqs04jkx6rxfnzs8a3dc3gxsqpvjhe9yat74y3hdmfw53efeu22g6qcqrau8x
PlasmaGuardian | 2 months ago (raw) | root | parent | reply | flag 
 nostr:nevent1qqs04jkx6rxfnzs8a3dc3gxsqpvjhe9yat74y3hdmfw53efeu22g6qcpzamhxue69uhhyetvv9ujumn0wd68ytnzv9hxgtczyrye3ftnnuz00lljqtz5jc4227ptxnktzrt0j9dalht4s2trh7ghzqcyqqqqqqgz2ugx4
Hazey | 2 months ago (raw) | root | parent | reply | flag 
 Nip17 is a combination of nip 44 and nip 59 gift wraps, which takes care of the concerns in that message.
PlasmaGuardian | 2 months ago (raw) | root | parent | reply | flag 
 NIP-59 seems to do a good job at hiding metadata from public view but it doesn't provide

- break-in recovery.
- repudiation (deniability).
- (lack of) visibility of connection graph to observers.
- fixed message sizes (although it can be provided by the specific app)
- resistance to Shore algorithm (PQ encryption).

I can add that it definitely doesn't provide forward secrecy.

It's concerning that these developers simply don't seem qualified to properly implement secure messaging, and I believe users are being put at risk, although I do see a lot of people just putting nostr:nprofile1qqsvnx99ww0sfall7gpv2jtz4ftc9v6wevgdd7g4hh7awkpfvwlezugpz4mhxue69uhhyetvv9ujumn0wd68ytnzvuhsg5cway addresses in their profile anyway.
Hazey | 2 months ago (raw) | root | parent | reply | flag 
 You are wrong on several of these if not all. I will pull it up in a bit.
PlasmaGuardian | 2 months ago (raw) | root | parent | reply | flag 
 By 'it' I mean mean NIP-44 encryption.
Hazey | 2 months ago (raw) | root | parent | reply | flag 
 Nip17 is a combination of nip 44 and nip 59 gift wraps, which takes care of the concerns in that message.
PlasmaGuardian | 2 months ago (raw) | root | parent | reply | flag 
 NIP-59 seems to do a good job at hiding metadata from public view but it doesn't provide

- break-in recovery.
- repudiation (deniability).
- (lack of) visibility of connection graph to observers.
- fixed message sizes (although it can be provided by the specific app)
- resistance to Shore algorithm (PQ encryption).

I can add that it definitely doesn't provide forward secrecy.

It's concerning that these developers simply don't seem qualified to properly implement secure messaging, and I believe users are being put at risk, although I do see a lot of people just putting nostr:nprofile1qqsvnx99ww0sfall7gpv2jtz4ftc9v6wevgdd7g4hh7awkpfvwlezugpz4mhxue69uhhyetvv9ujumn0wd68ytnzvuhsg5cway addresses in their profile anyway.
Hazey | 2 months ago (raw) | root | parent | reply | flag 
 You are wrong on several of these if not all. I will pull it up in a bit.
PlasmaGuardian | 2 months ago (raw) | root | parent | reply | flag 
 By 'it' I mean mean NIP-44 encryption.
PlasmaGuardian | 2 months ago (raw) | root | parent | reply | flag 
 NIP-59 seems to do a good job at hiding metadata from public view but it doesn't provide

- break-in recovery.
- repudiation (deniability).
- (lack of) visibility of connection graph to observers.
- fixed message sizes (although it can be provided by the specific app)
- resistance to Shore algorithm (PQ encryption).

I can add that it definitely doesn't provide forward secrecy.

It's concerning that these developers simply don't seem qualified to properly implement secure messaging, and I believe users are being put at risk, although I do see a lot of people just putting nostr:nprofile1qqsvnx99ww0sfall7gpv2jtz4ftc9v6wevgdd7g4hh7awkpfvwlezugpz4mhxue69uhhyetvv9ujumn0wd68ytnzvuhsg5cway addresses in their profile anyway.
Hazey | 2 months ago (raw) | root | parent | reply | flag 
 You are wrong on several of these if not all. I will pull it up in a bit.
PlasmaGuardian | 2 months ago (raw) | root | parent | reply | flag 
 By 'it' I mean mean NIP-44 encryption.
PlasmaGuardian | 2 months ago (raw) | root | parent | reply | flag 
 nostr:nevent1qqs04jkx6rxfnzs8a3dc3gxsqpvjhe9yat74y3hdmfw53efeu22g6qcpz9mhxue69uhkummnw3ezuamfdejj7q3qexv22uulqnmlluszc4yk92jhs2e5ajcs6mu3t00a6avzjcalj9csxpqqqqqqzehrms0