Have you seen the latest papers on all the MLS vulnerabilities AI is finding? The thing is too big. So difficult that many folks outside Nostr are giving up on it and starting new protocols. I don't mind using Marmot, but it has been under development for over 2 years and it's still not stable or even usable.

Replies (13)

Alan's avatar
Alan 3 months ago
I have it working with my chatbot pretty reliability, and I built it from a simple vibecoding session with no experience vibecoding. I am an ex software dev. I find that hard to believe.
Alan's avatar
Alan 3 months ago
This is in white noise with two users and one chatbot image
It's ok, hit me up when Marmot gets audited like nip17 and has at least 2 implementations users can log in and see the same chat history.
Alan's avatar
Alan 3 months ago
It wouldn't work unless White Noise supported adding users to an existing group. Pika supports this today, White Noise tomorrow. That isn't a problem with the protocol. The issue is with nuance between implementation details.
Alan's avatar
Alan 3 months ago
... and see the same chat history. So you are calling the feature a bug. In marmot MLS this is a feature.
That's a deal breaker for me. Either offer interoperability or GFO. Otherwise this is just another vendor-lock in scheme to block people from moving away from a company's products. MLS is mostly a corporate play, so I am not surprised they have successfully brainwashed folks to think that is a feature.
Reference Implementations.. they are way too big.. the original idea of hatcheting in tree branches is good. The implementation of the things that idea needs to have in place to run correctly is where all the problems and attacking possibilities lie. I don't think they are new problems, it's just that AI can be more effective in finding and exploring them inside codebases.
Alan's avatar
Alan 3 months ago
Which explains why it doesn't exist in Amethyst. Marmot is an upgrade from Signal to make it decentralized. Signal has a feature (perfect forward secrecy). The way they work around that is linking a device from the main account, and offering to copy historical messages to the linked device. If the feature you want doesn't exist in Signal, it probably will never exist in marmot. Of course don't quote me on anything. I am barely a spectator in this space. I have just been burned by Signal's centralization so I prefer marmot.
Forward secrecy in signal is a lie exactly because you can export/import stuff or connect with a desktop app. I don't need your keys, I just need to connect my desktop to your signal app. Then puf.. all the "perfect forward secrecy" turns into theoretical BS.
Alan's avatar
Alan 3 months ago
I assume it copies it directly from what exists in storage on my phone. If true then your statement assumes the implemented solution assumes actual perfect forward secrecy. I mean, if it was truly perfect forward secrecy than I couldn't write the messages down on paper as I get them and share with a friend.
Sure.. I find the use of "forward secrecy" terms just marketing bullshit most actual engineers know it only exist in theory. So, to me, that is not a good sales point for Marmot. I do like the scaling of group sizes, though... But I wouldn't use it because of "forward secrecy"...