Oddbean new post about | logout
Vitor Pamplona | 1 months ago (raw) | root | parent | reply | flag +5 
 Just go for MLS. 1 on 1 chats are good enough today with regular gift wraps. The key unsolved problem is efficient private group chatting.
Martti Malmi | 1 months ago (raw) | root | parent | reply | flag +2 
 I’m very uncomfortable using DMs that don’t have forward secrecy. That builds up a growing trove of private message history that will all be revealed if your key is ever compromised, increasing the potential harm with every message.
Martti Malmi | 1 months ago (raw) | root | parent | reply | flag +1 
 I’ll definitely look into MLS
Vitor Pamplona | 1 months ago (raw) | root | parent | reply | flag +1 
 Just add an expiration tag to your gift wraps and/or use a DM relay that only you can download them and that it allows you to delete these events in whatever schedule you want.

It's much easier for users than dealing with secondary keys for DMs that can't be saved on Nostr because if you do, you lose all the forward secrecy gains.
tekne | 1 months ago (raw) | root | parent | reply | flag +1 
 If someone gets your private key (the one that accesses your whole account), then isn’t that total access? Ratcheting doesn’t really matter at that point right?
Vitor Pamplona | 1 months ago (raw) | root | parent | reply | flag +2 
 Correct. You have to keep the ratcheting state outside of Nostr, which means that either only one client had access to your DM and/or different clients see different DMs, or that you have a way to import and export the ratcheting state from app to app manually, off from nostr. 

The later becomes a better point of attack. You don't need to break the decryption if you can just get the state by attacking the import/export function directly.
Martti Malmi | 1 months ago (raw) | root | parent | reply | flag 
 What would this attack look like in practice, against Signal for example?
tekne | 1 months ago (raw) | root | parent | reply | flag 
 Device access, no? It’s why a lot of people think ratcheting is overkill. Because device access is total access anyway
Martti Malmi | 1 months ago (raw) | root | parent | reply | flag +2 
 You can use disappearing messages if you're worried about device access. Disappearing messages require ratcheting, otherwise the message history will be found on relays and decryptable. Ratcheting protects your past and future messages even if your main key is stolen by a compromised client or one-time device access.

On Signal, maybe someone who borrows your phone could link another device without you noticing? Idk. But double ratchet still protects from all the other scenarios.
Martti Malmi | 1 months ago (raw) | root | parent | reply | flag +1 
 No, we use temporary keys that are rotated and only live on device. Main key is only used for authentication on the first key exchange.