Replies (48)

Jim Smij's avatar
Jim Smij 3 months ago
ugh, then we'll be using shit apps that charge the least. or paying for "pro" versions to control spam calls... where does it end? but, yeah, 21 sats is nothing... now. ;)
Analogue Dog's avatar
Analogue Dog 3 months ago
How can I request that relays block incoming voice messages. It's not even a few months since nostr doxxed everybody's DM's.
in actual fact, none of the chat protocols have solved any problems. the biggest reason to update to marmot MLS is it's a unified DM/group chat. at all times, forever, and from the beginning, AUTH has always been the thing that provides metadata security. you only have to read the architecture of matrix, signal, and the rest, to understand this. but even today, we here this "we don't go to ravenholm" meme about nostr DMs and you are not thinking bro. not thinking Auth is what makes privacy metadata security possible. you can get an answer to that question in 5 seconds with any LLM. do yourself a favor and stop making yourself sound like a stupid person to anyone who understands distributed systems and security
Have you seen the latest papers on all the MLS vulnerabilities AI is finding? The thing is too big. So difficult that many folks outside Nostr are giving up on it and starting new protocols. I don't mind using Marmot, but it has been under development for over 2 years and it's still not stable or even usable.
Analogue Dog's avatar
Analogue Dog 3 months ago
Pubky Noise looks like a good solution. I concluded about 6-months ago that Nostr is fubr'd on a protocol level. Pubky meanwhile is both decentralised and anti-fragile due to its use of PKARR and Kademlia. Probably a pipe dream but I would love for Amethyst to be the first Android Pubky client.
Analogue Dog's avatar
Analogue Dog 3 months ago
Could you be more specific? I get that John is the architecture and design authority, but I estimate that to be a significant advantage over Nostr. It is necessarily funded by Tether (although not exclusively) because devs need to meet their living expenses.
That's a deal breaker for me. Either offer interoperability or GFO. Otherwise this is just another vendor-lock in scheme to block people from moving away from a company's products. MLS is mostly a corporate play, so I am not surprised they have successfully brainwashed folks to think that is a feature.
Reference Implementations.. they are way too big.. the original idea of hatcheting in tree branches is good. The implementation of the things that idea needs to have in place to run correctly is where all the problems and attacking possibilities lie. I don't think they are new problems, it's just that AI can be more effective in finding and exploring them inside codebases.
Forward secrecy in signal is a lie exactly because you can export/import stuff or connect with a desktop app. I don't need your keys, I just need to connect my desktop to your signal app. Then puf.. all the "perfect forward secrecy" turns into theoretical BS.
Sure.. I find the use of "forward secrecy" terms just marketing bullshit most actual engineers know it only exist in theory. So, to me, that is not a good sales point for Marmot. I do like the scaling of group sizes, though... But I wouldn't use it because of "forward secrecy"...
Good thing that I was able to implement it from scratch on Amethyst (including ChaCha20 itself) so, the audit + my own knowledge was enough to make me very confident in the approach. Also, in 3 years, nobody has found any flaw in it to breach.
If your device gets hacked, nothing can protect your messages... No matter how advanced their encryption is. If that is your thread model, you don't even need to encrypt anything because it is all irrelevant at that point.
John Carvalho's avatar
John Carvalho 3 months ago
Pubky (and Nostr) are not consensus enforced systems, if people dont like how we build they can fork and build. Everything we make is modular anyway.
it's not just theory. each message has a particular secret. that secret is derived from other secrets including your nsec. forward secrecy means that an attacker can't find the next secret from the previous. post compromise security means that an attacker can't unravel the backwards path either.
lol. so you do know that when you send a message you have to send two messages to the relay right? one for you, one for the other person. in theory you can send each one to a different relay, which decouples this. but if both relays you sent it to have no auth, someone can be sitting there with a few clients already sitting there waiting for this kind of message. it's called a timing attack, and it doesn't change anything about the metadata security versus nip-01 if: a) more than one of the relays that was used has no auth, attacker can listen and find both messages and correlate them to a conversation b) even if they do get to separate relays, if they were sent to several, and one of each has no auth. done. and the other thing is the claims about chacha20/poly1305 being superior in any kind of reasonable term over the AES encryption that nip-04 uses are highly specious and deceptive. in actual fact, the big advantage of chacha20/poly1305 is performance. its bits of security are around the same. the only difference is aes uses rijndael in the place of chacha20. most of the internet is still running on AES encryption and at scale a compromise would have to have happened in some way by now. if there was reason to really move to another one with a smaller amount of study of its vulnerabilities and field actual usage. the vulnerabilities that reputable cryptographic algorithms have are considered to be so small as to be negligable, so called "infeasible" attacks. the bigger problems with these have come from "side channels" and a famous one was the use of bad quality random generators, and in the case of nip-17, as i just outlined, the *protocol* itself has a vulnerability that IS NOT HANDLED. two, in fact. one, to protect against metadata leaks you need these two conditions: 1. relay uses auth, so that a snoop can't just subscribe to catch everyone's messages 2. clients enforce sending each half of the message to separate relays (that have auth) so that the signal would have to be intercepted to catch the ip address timing and that would be the final boss, and for which somethiing like Tor might help a little. the protocol is weak on these two points and the first point i just don't know how long it's going to be until you all understand that you are sidestepping the real main vulnerability, with this superstitious distrust of relay operators who you... don't demand they use auth, sitting there everyone smiling happily while strfry still doesn't have any kind of system of nip-42 auth usage and half the clients still don't implement it.
also, amethyst is the common factor in this too. both are very commonly used and there was a big leak of nsecs not long ago i was seeing. tracing the root cause of the leak would definitely require checking amethyst, amber and primal apps because they have hte biggest userbase and probably you can also track the association between the leaked nsecs and the nip-05 and the chatter of the users who were using them saying which client they used.
what interests me is the protocol how you migrate a chat from 2 to 3 parties. it's obviously some kind of rollover process where last step forms the foundation of the state transition. i'm trying to think of where i have seen this pattern before. oh yes, pBFT validator lists. that problem is already architecturally solved in the Cosmos protocol.
↑