So, I've been studying #Mostr, and I think it's bad for #Nostr. Nothing against the Fediverse, I just don't think it follows the right philosophy. Normalizing it is a threat to sovereignty. Personally, I recommend muting all Mostr NIP-05s.
I am not calling for Mostr's destruction, but perhaps tools for clients and relays to mitigate custodial account services like Mostr. A single service shouldn't dominate the timeline the way it does, unless the user wants it to.
Let's also face the basic truth: Not your keys, not your account. Mostr holds all the nsecs. They are generated like this:
=====
/** Generate Nostr keys from a seed. */
async function generateKeys(seed: string) {
const privateKeyBuff = await getDigest(seed);
const privateKey = secp.utils.bytesToHex(new Uint8Array(privateKeyBuff));
return {
privateKey,
publicKey: secp.utils.bytesToHex(secp.schnorr.getPublicKey(privateKey)),
};
}
/** Get Nostr keys for an ActivityPub ID. */
function getActorKeys(apId: string) {
return generateKeys(Conf.secretKey + ':' + apId);
}
=====
Where "Conf.secretKey" is a seed value generated with "openssl rand -base64 48".
This is definitely a secure way to make nsecs, but it also secures every account with the same private key. Were that key to be compromised, it's a single-point-of-failure. A staggering number of trusted accounts could be botted in an instant.
That key is stored in plaintext inside of a "config.ts" file on the Mostr server, so we're really just one zero-day away from an issue. We really shouldn't trust accounts like these by default.
Even if
@Alex Gleason is the most trustworthy person in the world, letting one person own that many trusted nsecs is a bad idea. I'll keep repeating this term till it sticks: ZERO-TRUST.
Also, while I respect Mostr being an open-source project, that in itself is a threat given what Mostr does. Standing up your own Mostr is trivial, but could you imagine two Mostrs? That's immediately a spam problem, and probably in invitation to cause a loop to form somewhere. Imagine 10 Mostrs; complete chaos. Nothing is preventing this.
And, just a petty complaint, but everyone on Nostr identifies themselves by npub, but on the ActivityPub side of Mostr, Nostr users are identified by hex pubkey. Fixing this now is basically impossible, and it hurts user-friendliness. That's not our problem though.
#NostrExposedIPs