> Security, not so much, lol.
Nostr is pretty secure in a way that traditional social media aren't.
When you fetch a tweet from Twitter, or a post from Facebook, you are *trusting* that neither Elon nor Zuck have compromised the content of the message.
They *probably* wouldn't do it, but from a technical prospective they absolutely could.
If you fetch a post on Nostr, you know it actually has been published by someone who knows the private key of that public key. This is cryptographically proven and there is nothing relays can do to modify the content of messages.
> If I understand correctly, anyone can log in as anyone else with their pubkey, but it’s read only.
Not really.
Nostr has no concept of "logging in". It's a protocol and authentication is only mentioned in some optional and marginal features.
Clients, such as noStrudel, but also others, may (and typically do) implement a "log in" function.
You cannot log in with someone's public key, in a meaningful sense. What you can do is fetch events by public key. This isn't a security bug, this is exactly the expected behavior, by design.
Clients may call this "log in", but it's not really something only the actual owner of the key is supposed to be doing. Fetching events is something you are supposed to be able to do, be it trough a client, trough a command line or by manually using the protocol.
> Allowing people you have blocked to continue following you or allowing anyone to stalk your account using your pubkey, is creepy AF and should also be addressed.
It is not assessed on traditional social media (users can just create another account) and it cannot be addressed on Nostr.
Nostr clients aren't meant to limit what users do in any way whatsoever. That's because any user can make their own client. You *never* trust other's clients to behave in a certain way. You control your own client and others control theirs.
Events on Nostr, of all kinds, are public. Anyone can fetch them from relays.
Blocking people on social media is not a form of IT security and the illusion that it can be is, if anything, a mild security threat.
Nostr has no concept of "blocking".
It does have mutes, but this only means you choose to not see messages published by a certain user. You can also choose to not see messages published in 2023, messages that contain the word "word" or messages that are above a certain length.
The protocol specifies none of this, it's just something at the client level, not really part of Nostr itself. And, as I said, you control what your client does.
Aspie96 / Valentino Giudice
npub13mj…8hs2
2024-06-07 00:15:59
in reply to nevent1q…lytz
Author Public Key
npub13mjzjryckg9jnxgn3vez73nw5gx82cy0269t2083zjftlxewsjwqny8hs2Published at
2024-06-07 00:15:59Event JSON
{
"id": "41e90776962dc35a67a3e0285ee63b94d08ebbb55d83ee720acb0c813241eabd",
"pubkey": "8ee4290c98b20b2999138b322f466ea20c75608f568ab53cf11492bf9b2e849c",
"created_at": 1717712159,
"kind": 1,
"tags": [
[
"e",
"29ff0c3cb39baad1facb0172b07cfe3a5be4d5b40e55b8b8b63814e083408665",
"",
"root"
],
[
"e",
"6063c806d4e0c1e462e7172912df3b4b870cd9c1e529574befa9889603a3f7ec",
"wss://nos.lol/",
"reply"
],
[
"p",
"d1b712cfb68864b34a64480d270bd219073043a41a663ad66c4995d8bdfe61b4",
"",
"mention"
]
],
"content": "\u003e Security, not so much, lol.\n\nNostr is pretty secure in a way that traditional social media aren't.\nWhen you fetch a tweet from Twitter, or a post from Facebook, you are *trusting* that neither Elon nor Zuck have compromised the content of the message.\nThey *probably* wouldn't do it, but from a technical prospective they absolutely could.\nIf you fetch a post on Nostr, you know it actually has been published by someone who knows the private key of that public key. This is cryptographically proven and there is nothing relays can do to modify the content of messages.\n\n\u003e If I understand correctly, anyone can log in as anyone else with their pubkey, but it’s read only. \n\nNot really.\nNostr has no concept of \"logging in\". It's a protocol and authentication is only mentioned in some optional and marginal features.\nClients, such as noStrudel, but also others, may (and typically do) implement a \"log in\" function.\n\nYou cannot log in with someone's public key, in a meaningful sense. What you can do is fetch events by public key. This isn't a security bug, this is exactly the expected behavior, by design.\nClients may call this \"log in\", but it's not really something only the actual owner of the key is supposed to be doing. Fetching events is something you are supposed to be able to do, be it trough a client, trough a command line or by manually using the protocol.\n\n\u003e Allowing people you have blocked to continue following you or allowing anyone to stalk your account using your pubkey, is creepy AF and should also be addressed.\n\nIt is not assessed on traditional social media (users can just create another account) and it cannot be addressed on Nostr.\nNostr clients aren't meant to limit what users do in any way whatsoever. That's because any user can make their own client. You *never* trust other's clients to behave in a certain way. You control your own client and others control theirs.\nEvents on Nostr, of all kinds, are public. Anyone can fetch them from relays.\n\nBlocking people on social media is not a form of IT security and the illusion that it can be is, if anything, a mild security threat.\nNostr has no concept of \"blocking\".\nIt does have mutes, but this only means you choose to not see messages published by a certain user. You can also choose to not see messages published in 2023, messages that contain the word \"word\" or messages that are above a certain length.\n\nThe protocol specifies none of this, it's just something at the client level, not really part of Nostr itself. And, as I said, you control what your client does.",
"sig": "25c8d7542c3c980cfa5186ee94604a94103489b818b411c7e3596040f6bd933027da28fd24f74cf27a4787e255b3c0782162cb36e4f3967ef19d3c9bed8f6350"
}