Solving the Nostr web clients attack vector

https://fiatjaf.com/6829ad8b.html

39•evanjrowley•5mo ago

Comments

evanjrowley•5mo ago

I did not create this article but was intrigued to see an attack vector for the Nostr protocol being highlighted.

RainyDayTmrw•5mo ago

See also: Zooko's triangle[1], a fundamental limitation and trade-offs for names.

[1]: https://en.wikipedia.org/wiki/Zooko%27s_triangle

paride5745•5mo ago

I’m confused.

What’s the point of the article?

How’s the author compromised by the Mossad?

What would the attack be?

hackernudes•5mo ago

The article is about accessing a service (nostr) through a hosted web app. The domain or server that is hosting the app could be compromised and serve a bad app.

Posts on nostr use a key pair so when you see a post from foo you know it's the same foo you knew from last week. Also, posts are shared to and stored on multiple independent servers (called relays).

A compromised app could serve you fake posts or censor stuff.

beefnugs•5mo ago

Seems like the age old ease of using a website, vs running your own copy of open source software after reading and understanding it in its entirety (unsolvable mess)

jazzyjackson•5mo ago

Agreed it’s not a great article because it expects the reader to have context and a little imagination, but last I checked what the nostrilfolk were up to it was typical for a web app to ask for your private key (Nsec) and you’re just supposed to trust that app to take actions on your behalf (why nostr isn’t a browser extension that simply signs transactions clientside I don’t know)

So the attack vector is you change what you do once you get a nostridumbass to enter their nsec, Mossad is just mentioned as a catchall for potential attackers.

evbogue•5mo ago

The specific attack is not being highlighted in this article. Are we worried about keypairs being stolen and used to push malicious messages to the network? Lightning wallets emptied? Direct messages being read?

mmmmbbbhb•5mo ago

I'd say this is the least of nostr's problems right now.

Private Inference

Font Rendering from First Principles

Show HN: Seedance 2.0 AI video generator for creators and ecommerce

Wally: A fun, reliable voice assistant in the shape of a penguin

Rewriting Pycparser with the Help of an LLM

Lobsters Vibecoding Challenge

E-Commerce vs. Social Commerce

Avoiding Modern C++ – Anton Mikhailov [video]

Show HN: AegisMind–AI system with 12 brain regions modeled on human neuroscience

Zig – Package Management Workflow Enhancements

AI-powered text correction for macOS

AppSecMaster – Learn Application Security with hands on challenges

Fibonacci Number Certificates

AI Overviews are killing the web search, and there's nothing we can do about it

City skylines need an upgrade in the face of climate stress

1979: The Model World of Robert Symes [video]

Satellites Have a Lot of Room

1980s Farm Crisis

Show HN: FSID - Identifier for files and directories (like ISBN for Books)

Show HN: Holy Grail: Open-Source Autonomous Development Agent

Show HN: Minecraft Creeper meets 90s Tamagotchi

Show HN: Termiteam – Control center for multiple AI agent terminals

The only U.S. particle collider shuts down

Ask HN: Why do purchased B2B email lists still have such poor deliverability?

Show HN: Remotion directory (videos and prompts)

Portable C Compiler

Show HN: Kokki – A "Dual-Core" System Prompt to Reduce LLM Hallucinations

Software Engineering Transformation 2026

Microsoft purges Win11 printer drivers, devices on borrowed time

Lunch with the FT: Tarek Mansour