Thread - Nostr Hypermedia

“Network relays are built on the modern and standardized MASQUE protocols and can be used to proxy all TCP and UDP traffic” Holy shit! It’s not just web requests. This is way better than your standard VPN. It also obfuscates traffic through http so it’s harder to tell that you’re even using it. TIL @Obscura VPN also uses this. This is the way we can make nostr network traffic private without requiring people to run VPNs.

Apple Support

Use network relays on Apple devices

Network relays are a special type of proxy that can be used for remote access and privacy solutions.

View quoted note →

Replies (25)

cryptowolf cryptowolf@nostrplebs.com 1 year ago

if the operating system is compromised and proprietary like iOS, then the network level security doesn't help.

jb55 _@jb55.com 1 year ago

It’s a protocol, we can set up our own MASQUE relays and use them within the app. I’m not sure if you can use apple’s. If you can it makes sense to use that for users who have an iCloud subscription . @npub1t0ny...jgqv says you might not be able to. cc @Dan Gould

3 replies ↓

jb55 _@jb55.com 1 year ago

I will chat with carl and maybe we can use @Obscura VPN somehow?

jb55 _@jb55.com 1 year ago

I was about to google that, thanks!

jb55 _@jb55.com 1 year ago

nope, this should work anywhere. Its a work in progress open protocol

1 replies ↓

Gzuuus gzuuus@nostree.me 1 year ago

Thanks! I will read further 👀

jb55 _@jb55.com 1 year ago

It’s gonna be important for damus autopilot mode (outbox). Otherwise its a privacy nightmare

1 replies ↓

Toshi toshi@nostr-check.com 1 year ago

So you can use apples private relay in your App? Is that what you are saying?

1 replies ↓

Nick Klockenga newtonick@klockenga.com 1 year ago

I wish Apple would build into iOS a way to allow users to configure individual apps to force network traffic over their relays (iCloud Private Relay) and not just limit it to Safari.

1 replies ↓

jb55 _@jb55.com 1 year ago

That would be cool

jb55 _@jb55.com 1 year ago

Either theirs or our own

1 replies ↓

npub1nz3c...yxqu 1 year ago

Apple controls both the OS and the proxy. They can access the decryption key whenever they want. In a perfect world the OS would be open source and verifiable. There’s no competitive reason to keep the OS closed source. Keeping it closed just ensures that state hackers have more attack vectors. Probably just worried about public researchers seeing the number of bugs in it.

1 replies ↓

jb55 _@jb55.com 1 year ago

There are two proxies, they don’t control the exit node

Dan Gould bitgould@bitgould.com 1 year ago

The difficulty with proxying arbitrary traffic like Apple does is that an attacker can flood DoS traffic behind protection. That’s why OHTTP specs 1:1 relay server to gateway server. OHTTP could even work for general Nostr if it were available over WebTransport instead of WebSocket.

1 replies ↓

pukka pukka@primal.net 1 year ago

How can us plebs help?

Toshi toshi@nostr-check.com 1 year ago

That would be great.

DETERMINISTIC OPTIMISM 🌞 nvk@primal.net 1 year ago

Obscura depends on SGX, prob pointless against state actors. Still great improvement.

1 replies ↓

jb55 _@jb55.com 1 year ago

Interesting, gonna chat with carl, curious why they need that. Maybe if they control both the masque nodes

jb55 _@jb55.com 1 year ago

since masque can proxy arbitrary traffic I don’t see why you couldn’t do a websocket connection over it ?

1 replies ↓

jb55 _@jb55.com 1 year ago

I can see the entry ohttp node needing authentication and payment to use , blinded signatures/tokens/passes ?

1 replies ↓

Obscura VPN obscura@obscura.net 1 year ago

Glad you came down this rabbit hole too 😆 Strong obfuscation is key for IP privacy protocols. It also helps that QUIC is UDP, so we avoid the TCP-over-TCP problem:

Why your TCP-based VPN stutters (and how to fix it) | From Carl's Keyboard

TL;DR Tunneling TCP connections over a TCP-based VPN leads to conflict between the reliability mechanisms of the two connections, resulting in dec...

Dan Gould bitgould@bitgould.com 1 year ago

afaiu WebSocket unfortunately isn’t actually HTTP, but a hack to get TCP communication working that breaks out of HTTP semantics. MASQUE requires data to be sent in HTTP.

1 replies ↓

jb55 _@jb55.com 1 year ago

This is not what the apple docs says, and its not what I have been reading. From apple docs: “Network relays are built on the modern and standardized MASQUE protocols and can be used to proxy all TCP and UDP traffic”

2 replies ↓

jb55 _@jb55.com 1 year ago

Also:

The Cloudflare Blog

Unlocking QUIC’s proxying potential with MASQUE

We continue our technical deep dive into traditional TCP proxying over HTTP

1 replies ↓

Dan Gould bitgould@bitgould.com 1 year ago

I think I confused MASQUE requirements with OHTTP requirements. Big if true.