nips
nips copied to clipboard
nostr-protocol
Private Nostr
I wanted to create a tracking issue that collects some of the approaches for making notes more private, or gives more control over how notes are viewed and by who. I have expressed interest in doing a nostriga talk along these lines so I would love to gather all of the approaches for the talk if I end up doing it.
- [ ] https://github.com/nostr-protocol/nips/pull/1029 @vitorpamplona
- [x] https://github.com/nostr-protocol/nips/pull/686 @vitorpamplona ~- https://github.com/nostr-protocol/nips/pull/1146 @jb55~
- [ ] https://github.com/nostr-protocol/nips/pull/1030 @fiatjaf
- [ ] https://github.com/nostr-protocol/nips/pull/1083 @monlovesmango
- [ ] https://github.com/nostr-protocol/nips/pull/875 @staab
- [ ] NIP29 - Relay-based Groups ~- https://github.com/nostr-protocol/nips/pull/1206 @erskingardner~
Please comment here if you have your own approach you want to add to this list!
#566 might be worth mentioning. There's also the signature stripping idea which may or may not be represented above. Also AUTH protected relays, which I've done a fair amount of work on with triflector and relay invite codes.
Looks complete. The only other way would be to use Encrypted Group messages on https://github.com/nostr-protocol/nips/pull/686 but that's quite a privacy overkill for most of these "workgroup" notes.
You might want to separate encrypted vs non-encrypted stuff for the talk. The number of encrypted options alone can get overwhelming and distract from the goals of these approaches.
I am not sure if this helps, but I used this image in the past to try to map out all of these solutions
I just created Notestr for private notes (PoC). The flow is here. You can try it at https://notestr.pages.dev/example which allows your followees to read your private notes (through ephemeral events tentatively).
I think it would be easier to control private notes if they are all in one server. The servers should be decentralized and you can use any server as NIP-96.
Nostr is a privacy train wreck. And intentionally so. The sites njump dot me and nostr dot com which is a widely promoted proprietary website, including on the protocol page silently send ip addresses and browsing history to shitcoin VCs. Nostr users are unsuspecting of this due to expectations of privacy protection. The opposite is the case. This really needs to be addressed if nostr in any way is to be considered to be taking privacy seriously, and not applying double standards. I would like the real cypherpunks to stand up and make a real effort to purge nostr from this privacy invasive disease that has captured so many. Start calling out those that silently put spyware on well known sites. Call out those insert them into the protocol areas. Start to use alternatives such as https://nostr.at/ -- lets clean up the basics, and the protocol area as well as making nostr private. Else it just looks like LARPing.
Could you please come down off your soapbox for a moment and explain what you mean?
The title of this issue made me think about the privacy issue of leaking information binding a client's IP address to it's npub. Maybe that is not what this talk is about. But I'll describe that here anyways. Even though I think the solution is to use another layer (VPN/Tor), I recognize the problem and I think it would be good for nostr users to be fully aware of the fact that this information (binding of IP address to npub) easily leaks.
- Going to relays you didn't configure in your client (outbox model) MAY leak information about you depending on what you ask that relay for
- AUTHing to relays you didn't configure in your client (outbox model) WILL leak this binding
- Clients pulling down images MAY leak this binding if they don't use a proxy/vpn service and if the attacker is able to target the image to their mark (targetting using DMs is in many clients known and protected against)
- Clients watching video from websites MAY leak this binding if the attacker is able to target the video to their mark
- NIP-05 checks may leak this binding (again based on targetting)
There might be others.
That's a great shout @mikedilger - I (and a few others) had the chance to speak with a senior member of the Citizen Lab team in Oslo at the Freedom Forum and this was one of the his biggest concerns about Nostr. How there is a much broader surface that can leak your IP address, which is the most well known way that people are targeted.
I agree with you that the best solution is going to be using Nostr via a VPN or Tor but we also have to try to ensure that Nostr clients try and use sensible (maybe overly careful) deafults or give users the chance to select those very careful defaults during onboarding - BEFORE the client has connected to anything.
Nostr can provide fully decentralized censorship resistance (which is already pretty amazing) and you can provide your own anonymity and sovereign ownership of it (also amazing), but privacy is very very hard to achieve in this space. I don't think nostr can provide it completely -- and because it can't do it completely, any sense that users have that nostr is providing privacy "mostly" just acts like a lure to trick them into losing their privacy. We would be better off being very clear that nostr does not provide privacy, and that VPNs and Tor are elegant and excellent perfect-match solutions to exactly that problem... and thus trying to solve that problem again within nostr is IMHO both pointless and futile. I made the list because people need to be aware that we are not providing this, because there are lots of privacy leaks, not because I think we can fix it within nostr. But I could be wrong and there are a lot of smart people in this community who might prove me wrong.
and thus trying to solve that problem again within nostr is IMHO both pointless and futile.
Hold my beer...
Another dimension to the privacy problem that's unrelated to encrypted messaging and IP leaks to various services is that of key management. This comes mostly from the "other stuff" use cases. For example, suppose a senator logs in with nostr to a porn site, linking his fetishes to his policy. We've seen this before, and it's always funny, but on nostr the faux pas would be more implicit on the user's end.
I have lots of ideas for addressing this, but none are easy. One is obviously to use different keys for different identities, but taking that to the extreme means one account per service, which eliminates interoperability and brings us back to the status quo. Another approach would be to obscure information about yourself and only share it selectively. This would require either an interactive protocol (request/response), zero knowledge proofs, or some kind of data custody service, all of which increase complexity a ton. I don't know that we need to actively solve this right now, but it's something to pay attention to. More thoughts here.
for a lot of IP hiding stuff we can use MASQUE. notedeck (and other clients) will allow you to load other peoples decks/feeds, so you will have some level of deniability if other people are querying your feed.
Slightly unrelated but I've come across this project, could any of the privacy concepts demonstrated within the NomadNet project be applied to Nostr in some way?
https://github.com/markqvist/NomadNet
@erskingardner I'm writing my talk today, I'm going to give an overview of this!