Bashee Von Newmann on Nostr: The scheme relies on nip04 with an unpadded payload, meaning the encrypted length ...
The scheme relies on nip04 with an unpadded payload, meaning the encrypted length matches the plaintext. If a relay knows the Web Service API, it can potentially infer communication details. This risk is higher if using a relay without AUTH support—without it, anyone could analyze the traffic.
Replay attacks seem possible, allowing a relay to repeatedly trigger actions like "delete first item" until everything is gone.
Don't get me wrong—this is awesome technology, but it's not fully secure (yet?).
Published at
2024-08-15 13:24:31Event JSON
{
"id": "e6953ac23d778da6cea6373172d05ddaea7e0d16bf7cd91ddc05a84a93dff7fc",
"pubkey": "5b459807bf935ddc2f83405821bced1c8a05dfee7c80b000c337ba6bd0ad78ed",
"created_at": 1723728271,
"kind": 1,
"tags": [
[
"p",
"50d94fc2d8580c682b071a542f8b1e31a200b0508bab95a33bef0855df281d63"
],
[
"e",
"53087fec373112df4c3e5d1f1b1d228473b55f50125dd6bd3640f411cad2e5cd",
"wss://nostr.bitcoiner.social/",
"root"
]
],
"content": "The scheme relies on nip04 with an unpadded payload, meaning the encrypted length matches the plaintext. If a relay knows the Web Service API, it can potentially infer communication details. This risk is higher if using a relay without AUTH support—without it, anyone could analyze the traffic.\n\nReplay attacks seem possible, allowing a relay to repeatedly trigger actions like \"delete first item\" until everything is gone.\n\nDon't get me wrong—this is awesome technology, but it's not fully secure (yet?).",
"sig": "a9a3a8dce3fbcaf0824db4ce0faf50dd9ab3b01c527c5630b9bb151b1f9958751e936983dd951b6f078a34ffbb05eb125de5272fb1aca33d57c2bc4a771dfed5"
}
