Oddbean new post about | logout
 there's too many moving parts to ever make it practical to certify what you are connecting to

Don't Trust, Verify

this is not just the mantra of #bitcoin but it is the mantra of the internet

we now have AIs that probably can produce reasonable fingerprints of server code that can be used as identifiers

they are not deterministic because the code is one thing, and the data is another, and the interplay between them can be unexpected and random

certificate chains on deterministically produced software can exist and have a purpose but they only are of use to those actually executing the code and gathering state in their application that interacts with that code, as well as the inputs from the outside

ultimately, it is a great black void you connect to, and everything that comes back from it is untrustworthy by default, unless you can verify it

nostr makes it so the users themselves create the authentication on their content and after having dealt with the schemes of Bluesky and Farcaster, neither of which have a direct signature on events, i can say that the epic vulnerabilities this could create cannot be underestimated

if bluesky or farcaster ever have a large enough economy tied to them the profitability of violating their consensus system will be very high

you simply can't do that with nostr... all events are only authorized by the users, the data the relay handles is intrinsically untrustworthy, exactly the same as the relay software itself