Solving the Nostr web clients attack vector

https://fiatjaf.com/6829ad8b.html

39•evanjrowley•5mo ago

Comments

evanjrowley•5mo ago

I did not create this article but was intrigued to see an attack vector for the Nostr protocol being highlighted.

RainyDayTmrw•5mo ago

See also: Zooko's triangle[1], a fundamental limitation and trade-offs for names.

[1]: https://en.wikipedia.org/wiki/Zooko%27s_triangle

paride5745•5mo ago

I’m confused.

What’s the point of the article?

How’s the author compromised by the Mossad?

What would the attack be?

hackernudes•5mo ago

The article is about accessing a service (nostr) through a hosted web app. The domain or server that is hosting the app could be compromised and serve a bad app.

Posts on nostr use a key pair so when you see a post from foo you know it's the same foo you knew from last week. Also, posts are shared to and stored on multiple independent servers (called relays).

A compromised app could serve you fake posts or censor stuff.

beefnugs•5mo ago

Seems like the age old ease of using a website, vs running your own copy of open source software after reading and understanding it in its entirety (unsolvable mess)

jazzyjackson•5mo ago

Agreed it’s not a great article because it expects the reader to have context and a little imagination, but last I checked what the nostrilfolk were up to it was typical for a web app to ask for your private key (Nsec) and you’re just supposed to trust that app to take actions on your behalf (why nostr isn’t a browser extension that simply signs transactions clientside I don’t know)

So the attack vector is you change what you do once you get a nostridumbass to enter their nsec, Mossad is just mentioned as a catchall for potential attackers.

evbogue•5mo ago

The specific attack is not being highlighted in this article. Are we worried about keypairs being stolen and used to push malicious messages to the network? Lightning wallets emptied? Direct messages being read?

mmmmbbbhb•5mo ago

I'd say this is the least of nostr's problems right now.

Teleop_xr – Modular WebXR solution for bimanual robot teleoperation

The Highest Exam: How the Gaokao Shapes China

Open-source framework for tracking prediction accuracy

India's Sarvan AI LLM launches Indic-language focused models

Show HN: CryptoClaw – open-source AI agent with built-in wallet and DeFi skills

ShowHN: Make OpenClaw respond in Scarlett Johansson’s AI Voice from the Film Her

CReact Version 0.3.0 Released

Show HN: CReact – AI Powered AWS Website Generator

The rocky 1960s origins of online dating (2025)

Show HN: Agent-fetch – Sandboxed HTTP client with SSRF protection for AI agents

Why there is no official statement from Substack about the data leak

Effects of Zepbound on Stool Quality

Show HN: Seedance 2.0 – The Most Powerful AI Video Generator

Ask HN: Do we need "metadata in source code" syntax that LLMs will never delete?

Pentagon cutting ties w/ "woke" Harvard, ending military training & fellowships

Can Quantum-Mechanical Description of Physical Reality Be Considered Complete? [pdf]

Kessler Syndrome Has Started [video]

Complex Heterodynes Explained

EVs Are a Failed Experiment

MemAlign: Building Better LLM Judges from Human Feedback with Scalable Memory

CCC (Claude's C Compiler) on Compiler Explorer

Homeland Security Spying on Reddit Users

Actors with Tokio (2021)

Can graph neural networks for biology realistically run on edge devices?

Deeper into the shareing of one air conditioner for 2 rooms

Weatherman introduces fruit-based authentication system to combat deep fakes

Why Embedded Models Must Hallucinate: A Boundary Theory (RCC)

A Curated List of ML System Design Case Studies

Pony Alpha: New free 200K context model for coding, reasoning and roleplay

Show HN: Tunbot – Discord bot for temporary Cloudflare tunnels behind CGNAT