Thread - Nostr Hypermedia

Not talking strictly HTTPS. Even so, when have you been directly notified by an app when they updated their pinned certificate? Or even having visibility to a currently pinned certificate and it’s expiry? It’s not even the key exchange exchange security - that’s largely solved. It’s the swap out and zero-visibility attacks. I’m largely targeting WhatsApp, Apple iMessages and FaceTime, and whatever large corp constant use a few buzz words that are literally meaningless. I hope we can do better on Nostr, once key rotation is more mature. We need greater transparency around security related changes. I’m unsure how to include them outside of the app itself - which shouldn’t be trusted.

↑ Parent

Replies (2)

Blake _@wako.ws 2 years ago

And just to clarify.. you’d need the pinned certificate key/fingerprint - it’s expiry is not enough to detect a change.

The Fishcake (nostr.build) _@thefishcake.com 2 years ago

Oh, if you are talking about big boys, you should have named them. Don’t expect any privacy there, that goes without saying. HSTS actually works if you are afraid of mitm. DNSSEC has to be used too and your resolver has to be someone you trus and over secure channel. 🐶🐾🫡

1 replies ↓