97c70 - 1y
Malicious in the sense of surveillance/phishing. So say someone sends you an email with a link pointing to `/notes?relays=wss://bad-relay.com/myemailinbase64`, you click on it and your client auto-signs an AUTH challenge, bingo bongo they have correlated your email/pubkey. Basically an injection attack. As it happens, nostr:nprofile1qqs8hhhhhc3dmrje73squpz255ape7t448w86f7ltqemca7m0p99spgpp4mhxue69uhkummn9ekx7mqprpmhxue69uhhyetvv9ujuumwdae8gtnnda3kjctvqythwumn8ghj7enfd36x2u3wdehhxarj9emkjmn9keq8hx pointed out that this is already possible using nprofile/nevent 😬
Coracle does (this needs to be improved)
If the relay knows your pubkey they know your contacts. It's probably not hard to infer who you are from your filters, in most cases probably trivial, but client fingerprinting could also be implemented.
daniele @dtonon - 1y
I think that asking when a relay is unknown is an effective strategy, that doesn't ruin the UX. You can always check the already approved relays first and try to fetch the note from them, this would slow down the loading a bit, but it makes the process completely transparent for a good amount of notes/profiles.
Really interesting brainstorming by nostr:npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqn on a possible privacy attack vector on nostr. Nostr is different and so are the security paradigms, therefore we have to think outside the box to find every possible vulnerability. nostr:nevent1qqs0xmg7s8xeeq94u7fjrelm7qj503z2trzjyyl0gp0fqfupgm40veqpz3mhxue69uhhyetvv9ujumn0wd68ytnzvupzp978pfzrv6n9xhq5tvenl9e74pklmskh4xw6vxxyp3j8qkke3cezqvzqqqqqqy9djts8
