Oddbean new post about login | logout I'm getting tired of being paranoid about the CIA controlling everything. #thenostr
I know everything I say is public, and with nostr that is actually the entire point - to avoid being censored, not to be private. But yes intel agencies could be hacking us through our sloppily developed nostr software. I mostly just presume they already have access to everything and don't trust computers with true secrets. I use a SeedSigner for the only secret I need to keep secret. Then I also develop things as secure as I can, just to be the best I can, in the face of difficult odds.
The should be NOSTR teams that friendly hack each other's apps to find vulnerabilities and report any to the creators. It would be good practice for the integrity of the protocol.
Have you met @semisol yet?
No but just followed him.
He has a habit of demonstrating his points about security and spam and the like so that they can't be ignored and the issues have to get fixed. It is all for the good of nostr of course, but can be a tad annoying when you are working on something else. There is also a repo where people complain about compatibility issues between nostr apps: https://github.com/nostrability/nostrability Speaking of, I was about to write a bot that requests connection to people's nsec bunkers to see how many people will authorize their private keys to sign my events, not realizing what is going on. Could be fun!
Yeah I'm listening for {"kinds":[24133]} and when I get one, I create a new 24133 event from my ephemeral keypair to the 'p' tag of the event with a connect command. I do it again to the 'pubkey' of the event because I don't know what command was sent and which direction it is going. I backdate the event by a few seconds. One of those will be the bunker and will generally popup to the user asking to allow the connect. Some user will allow it and then I can send in a mock event that says it is me fucking with them and ask them to sign it. Hopefully their client displays the event and sees that it is me fucking with them. If not, well, I get an event signed by them saying that I fucked with them. Basically I can script the whole thing and just point it at a popular relay and go to sleep, and then check on it in the morning. If people implemented the "secret=" part of the NIP-46 standard, bunkers could simply drop requests that didn't include the connect secret, and none of this would be possible. But among 3 clients @bu5hm4nn tested today, none of them use the secret parameter in the bunker:// url when they send in their connect string, which signalled to me that none of the bunkers are requiring it (well, except gossip. Gossip requires it.)
requests and responses are both 24133 and look identical outside of the nip04 encoded content
It's so nice to have you guys around
If people only used auth_url popups to confirm then your bot wouldn't do harm. Doing confirms through popups has other useful features. I wonder if I should implement the 'secret' thing and only show connection requests with a secret in the nsec.app itself.
That is what I did. Gossip (as a bunker) only honors connects that provided the correct secret. The user doesn't get bothered by junk connect requests. Clients that don't bother to send the secret part of the bunker URL cannot use gossip as a bunker (which is unfortunately every client we have tried so far). BTW I didn't actually make such a bot.
Guilty as charged on that one. I've only implemented a server-initiated server. I will probably implement a client next with server-initiated flow. Then finally the client-initiated flow in both parts.
It's so nice to have you guys around
If people only used auth_url popups to confirm then your bot wouldn't do harm. Doing confirms through popups has other useful features. I wonder if I should implement the 'secret' thing and only show connection requests with a secret in the nsec.app itself.
That is what I did. Gossip (as a bunker) only honors connects that provided the correct secret. The user doesn't get bothered by junk connect requests. Clients that don't bother to send the secret part of the bunker URL cannot use gossip as a bunker (which is unfortunately every client we have tried so far). BTW I didn't actually make such a bot.