Oddbean new post about login | logout What do you mean by “the relays the public and users can track from one another”? Re: IPs, yes. Relays could triangulate to some degree but usually only for short periods because all the visible group ids change regularly. Tor and some trust in relays is inevitable.
Some relays are collecting and selling information about users, like their interests and so on. Its likely that they will want to collect any info at their disposal to associate accounts/keys/secrets and sell them to the highest bidder. Picture Chainanalysis, but on nostr. If that breaks the privacy of MLS, then there might not be a reason to do MLS at all.
It doesn't break the privacy of MLS at all. All messages that are sent to relays are done so under ephemeral identities. All REQs that clients do to relays are for arbitrary group IDs that can (and must) change over time; or, in the case of welcome messages, they're REQing for NIP-17 style DMs. The creator of the group also sets the relays that the group will use for these messages so ideally, clients will only allow users to select relays that support privacy features like the "-" tag to stop event rebroadcasting, etc.
Can the chosen relay link IP-emphemeral identities and start putting a sequence of messages together? Can't they just see when the group id has changed and link the two? I am not doubting MLS, but I have seen too many people claim privacy until I run their server and start logging down everything every connection does to locate, track and identify each participant. If the relay can do it. They can either sell that info for profit OR be required by court order to track and identify users. If they can do it, they will do it. That's why I am using Tor when connecting to DM relays. Every app session is a new Tor exit node. Relays can't know where each message is coming from. It's the only way I found to keep things private.
MLS is certainly not a panacea and it doesn't have any opinions on the transport protocol. This is what I've spent a lot of time trying to come up with. Yes, you're right, if you use just the MLS encryption aspect of the spec, you're leaving too much available to the relay and that could potentially lead to timing or triangulation/association attacks. Clients that implement MLS based messaging and care about privacy will need to use Tor (or VPNs or proxy relays at a minimum). I'm implementing all this now and finding lots of little details that have to be managed by the client to do this correctly. Things like rotating your key material as soon as you're added to a group (for PCS), rotating group IDs, potentially using multiple group IDs concurrently, securely storing conversation data on the client, etc. The reality, I believe, is that these are going to be pretty specialized clients. I'll have library code at the end of this that will make it easier but it's always going to be a significant lift to have strong privacy guarantees.
😳
talvez não seja algo tao ruim. Alguem acessaria um servidor que deixasse o algoritmo mais parecido com o twitter mas vendesse informação? nostr:nevent1qvzqqqqqqypzq3svyhng9ld8sv44950j957j9vchdktj7cxumsep9mvvjthc2pjuqqsyxvf4av77x2yrdamtx095rfs366fccg723tq2fcny6uewsf5kaus4plv8w
nostr:nevent1qqsdfsce72ayvnfcmr67e4y20k3f2klzyfrev0yacy40564gn36y4rgpz4mhxue69uhhxarjvee8jtnfwf5hxtn5duhsygzxpsj7dqha57pjk5k37gkn6g4nzakewtmqmnwryyhd3jfwlpgxtspsgqqqqqqspfke74
nostr:nevent1qqsqqqye9j54rrlck6xk9c584ya67cfwnjw38xzcqa7ar4ce6xqh5nsppemhxue69uhkummn9ekx7mp0qgsrhuxx8l9ex335q7he0f09aej04zpazpl0ne2cgukyawd24mayt8grqsqqqqqp262yz9
nostr:nevent1qqsqqqqkn55fuy0w8pj5sfjy76vhaek9r5dah8lp84wl4d3qazu8plgppemhxue69uhkummn9ekx7mp0qgsrhuxx8l9ex335q7he0f09aej04zpazpl0ne2cgukyawd24mayt8grqsqqqqqp95e6ya
This is not a subkey proposal.
He is talking about the problems of it
What @ABH3PO meant is that he is not proposing that Nostr users have subkeys for themselves, just encryption keys that they use to encrypt messages in a group. The goals are very different and in this case it doesn't pose any problems to the protocol.
🤣🤣🤣
There are always going to be tradeoffs, I can easily see a shared key shared through gift wrap DMs be a good enough usecase for something like say: regular "Instagram stories", it is good enough privacy of content. Privacy of metadata is also very hard to crack I. This case, but still maybe doable with chain analysis kind of stuff. So.. Should you sell drugs with this something like this? Probably not, could you share fun food pics on your stories with your friends that you don't want to tell the whole world about? Yes.
Idk I think key rotation or encryption key is over complicate something we don't need nip17 dont leak metadata, unless you are supposing people will lose the nsec and all their history gets compromised or something. nostr:nevent1qqsz6v392v3023yz8yvrg8kzxml2fg69kmd9wxvvtv3a26psepftgjqpzpmhxue69uhkummnw3ezumt0d5hsygzxpsj7dqha57pjk5k37gkn6g4nzakewtmqmnwryyhd3jfwlpgxtspsgqqqqqqsfwen9r