Nostr View - Reminder: many nostr clients do not validate event

Nostr View

Mazin @mazin - 2y

Reminder: many nostr clients do not validate event signatures. Choose your relays carefully. Good morning.

undefined

undefined

undefined

Mazin @mazin - 2y

What client are you using?

undefined

undefined

undefined

Mazin @mazin - 2y

Yeah unfortunately there can be issues when switching between clients if they store your follows or relays differently. Without digging in to your events it’s hard to say what’s broken. Can you not follow anyone on any client?

undefined

undefined

undefined

Mazin @mazin - 2y

I’ll take a look at your events later today when I get a chance. nostr:npub1xtscya34g58tk0z605fvr788k263gsu6cy9x0mhnm87echrgufzsevkk5s can usually identify the problem quickly but I’m sure he is busy so be patient.

undefined

undefined

undefined

Mazin @mazin - 2y

Sure. A nostr event is structured like this: {"pubkey":"3d842afecd5e293f28b6627933704a3fb8ce153aa91d790ab11f6a752d44a42d","content":"Reminder: many nostr clients do not validate event signatures. Choose your relays carefully.\n\nGood morning.","id":"4507934f647958e934f3b67fff32c7b5a4b9e5f42042cf98f2f10ba0159db6bb","created_at":1695042973,"sig":"7cc63f85f2b7956280a7124aca7add92741c9f26b78843a082a2c65c79aa4510e7fb097f5c3d3c1f97e4a445e2673c5b955f19ab02d5630b4d1189cfdf4d4652","kind":1,"tags":[]} The “sig” field is used to validate that my private key signed the note. Most (all?) relays validate these signatures as the event comes in before storing it. Most clients do NOT validate the signature when receiving events from relays. The risk of not validating is that a relay could alter a users notes without detection.

undefined

undefined

undefined

Mazin @mazin - 2y

For sure, and it’s going to be a necessary tradeoff in many clients, particularly mobile ones. I do think they should still validate SOME events (like profile updates) though. I do think it’s important to point out that lots of our security/trustlessness is actually smoke and mirrors (for now).

undefined

undefined

undefined

Fabian @Fabian - 2y

I think I might turn it on by default again in Nostur, I had it disabled because I assumed it would be a big performance hit, but after your post I decided to do an actual measurement and it doesn’t seem that bad actually. I will do some more testing to be sure.

undefined

undefined

undefined

Mazin @mazin - 2y

Very cool! For what it’s worth, I totally understand not having it on by default and think having the option is great. I think Nostur is one of the few mobile clients that even has the option.

undefined

undefined

undefined

nobody @nobody - 2y

It did seem to hurt it perceptually on my phone. Totally anecdotal though.

undefined

undefined

undefined

Mazin @mazin - 2y

Correct, it’s a performance trade off. Some clients like Nostur (made by nostr:npub1n0sturny6w9zn2wwexju3m6asu7zh7jnv2jt2kx6tlmfhs7thq0qnflahe) have a toggle to turn validation on and off.

undefined

undefined

undefined

Mazin @mazin - 2y

Perhaps there could be an option to validate some randomly sampled events across a given relay set to keep them honest without necessarily needing to validate every event. I think profile updates are perhaps the most important to validate as it would be trivial for relay operators to steal money by replacing zap addresses.

undefined

undefined

undefined

Mazin @mazin - 2y

It’s a race condition with other relays of course so perhaps trivial is unfair but it’s something to think about.

undefined

undefined

undefined

06b78 - 2y

Yields! Do all relays validate event signatures?

undefined

undefined

undefined

06b78 - 2y

*Yikes! Damn autocorrect

undefined

undefined

undefined

Mazin @mazin - 2y

I can’t speak for every relay implementation on the planet, but every one that I know of does validate.

undefined

undefined

undefined

06b78 - 2y

Thanks. That’s what I thought. But it is possible for a rogue relay to send out invalid events, so clients need to validate.

undefined

undefined

undefined

Mazin @mazin - 2y

Indeed, you got it! I think as clients optimize you’ll see more of them add validation. They all wanted to include it from the beginning but ran in to performance issues. The most important thing to validate is profile updates since those include LN payment addresses. nostr:note1yvnw45cd7frkkx7ca4mnwqqjvranne045vgynf7w986n2jnkp45qwan0ts

undefined

undefined

undefined

nostr:npub1gcxzte5zlkncx26j68ez60fzkvtkm9e0vrwdcvsjakxf9mu9qewqlfnj5z which events does #amethyst validate?

undefined

undefined

undefined

Vitor Pamplona @Vitor Pamplona - 2y

All of them. Even push notifications are individually verified.

undefined

undefined

undefined

5c4bf - 2y

Probably some clients don't even verify that events match the filter...

undefined

undefined

undefined

Showing page 1 of 1 pages