I think it's worth knowing that the cryptography in Nostr appears to be a wreck. Here's a paper from EuroS&P this year, also presented at Black Hat on the crypto track:
* The event protocol that drives the system doesn't authenticate public keys, so asymmetric signatures are performative: attackers that can intercept messages (Nostr servers, the presumed adversary of an E2EE messaging system) can just swap out keys and re-sign.
* Two major clients, the mobile phone Damus app and the web Iris app, don't even verify signatures to begin with.
* DMs in this system are unauthenticated CBC, so attackers can simply bitflip messages and events to say what they want.
* The apps do automatic link-preview, so they've managed to reconstitute the EFAIL attack: attackers can locate links within messages (they'll be revealed by SNI and DNS anyways) and then bitflip them to point to attacker-controlled servers, exposing both the URLs (which will often contain tokens) and, with a bit of extra work, the message itself (by tacking `?foo=` onto a URL).
* There's no key separation in the system, so you can trick users into running a subprotocol other than the messaging system, then establishing a session key, which will then be used for messaging.
These are really basic errors; this is mid-aughts-level cryptographic engineering. There are probably a variety of other reasons to use Nostr, but end-to-end security does not appear to be one of them.
So, I was part of the Nostr community for quite a while and was the author of a popular Nostr extension for Safari, before eventually giving up on Nostr for various reasons.
I haven't read that entire paper. Mainly, I skipped to the section you mention here:
> The event protocol that drives the system doesn't authenticate public keys, so asymmetric signatures are performative: attackers that can intercept messages (Nostr servers, the presumed adversary of an E2EE messaging system) can just swap out keys and re-sign.
I think you and the authors perhaps misunderstand the Nostr protocol. Nostr is, effectively, an identity system tied to a public key. The cryptography is sound. Your identity is your public key. When you request a user's profile, or their events, you request it specifically by their public key. That is unforgeable (assuming no bugs in the implementation, like what the authors found in Damus).
This does present UX issues that can manifest as security issues, such as "how can you verify that a user with a certain public is who they say they are instead of an impostor". That is a separate issue from whether the cryptography itself is sound.
Unfortunately this paper doesn't live up to its goal of being a cheap attack on Nostr.
The fact is that clients do verify signatures from events received from servers, that is in the protocol specification and should be obvious to anyone mildly honest.
The entire assumption of the paper is that clients don't do that and it is void. Yes, they did find a couple of clients 2 years ago that didn't verify signatures -- so much for a vulnerability in the protocol. I guess they wanted Nostr to have a code police arresting client developers who didn't finish their implementation?
Aside from that the attacks they demonstrated depend on a bunch of other absurd circumstances (like you have to manually and voluntarily type the URL of the attacker server in order to be attacked) but it's not even worth talking about them since the basic assumption is so completely false already.
The encrypted messages stuff is not even a core part of Nostr anyway, Nostr is a broadcasting protocol for public or semi-public content. Encryption can be added on top and there are multiple ways and proposals for how to do it, including an implementation of MLS and other methods and I personally mostly do not care about any.
I wish the paper authors were more honest and republished their work with the title: "the dangers of trusting a cryptographic signature without verifying it", but I imagine that it would have been too obvious and worthless if it was phrased like that.
> The event protocol that drives the system doesn't authenticate public keys, so asymmetric signatures are performative: attackers that can intercept messages (Nostr servers, the presumed adversary of an E2EE messaging system) can just swap out keys and re-sign.
This is completely nonsense, most clients do in fact check signatures. All relays do as well.
> Two major clients, the mobile phone Damus app and the web Iris app, don't even verify signatures to begin with.
Author of Damus here. this is an analysis of an old version. This has since been fixed. In the early days we connected to a fixed relay list of trusted relays. These relays verified signatures. This was just a pragmatic tradeoff thing until we had an optimized work queue for verifying notes (this lead to nostrdb, a custom embedded nostr database built on lmdb. it's a sqlite but for nostr https://github.com/damus-io/nostrdb)
> DMs in this system are unauthenticated CBC, so attackers can simply bitflip messages and events to say what they want.
not really true since the whole note is covered by a secp256k1 signature.
> The apps do automatic link-preview, so they've managed to reconstitute the EFAIL attack: attackers can locate links within messages (they'll be revealed by SNI and DNS anyways) and then bitflip them to point to attacker-controlled servers, exposing both the URLs (which will often contain tokens) and, with a bit of extra work, the message itself (by tacking `?foo=` onto a URL).
you can turn off these, you can turn off images as well. people should run a VPN of course if they are worried about these things.
The criticisms are either implementation dependent (not checking signatures, which defeats the entire purpose of the protocol), or based on a very early proof of concept encryption scheme which has since been superseded (by NIP 44, which was independently audited). There's nothing substantial or actionable here (any more).
why is this the first time that I came across these issues. Someone should talk about these issues asap.
What federated platform might be the more secure tho protocol wise, bluesky (at protocol) or fediverse
A big misconception I've seen is the assumption that Nostr relays are federated and share messages between one another. This is not how it works. So if you're building a "Twitter clone" the client app must search multiple relays and post to multiple relays. If clients are not using a relay in common they cannot see one another.
The end result is a bad experience for both user and developer. Using a single relay is centralised and defeats the point. Using multiple relays is slow and cumbersome and requires the user to know/care which relays they are connecting to.
When I played with Nostr a couple years ago the "NIPs" were already a complete mess. Later NIPs supersede earlier NIPs changing how clients are supposed to interpret messages. At least some are flagged as "unrecommended: deprecated" now.
Relays can federate. The point is that Nostr as a protocol is saying nothing about this and does not care either.
I'm running an indexer (a relay) which federates with other relay indexers. Similar how activitypub relays work. Any client can connect to indexer to help bootstrapping and find metadata around events. There are many ways to discover stuff from clients even without being connected to the same relay.
This is a valid observation and hurdle of sorts. One to me, which is a fascinating problem to work on.
There are a few approaches to solve this. For instance NIP65, where one defines on their profile meta which relays they read/write to, giving clients the ability to discover all the right content. That's just one approach, and some are exploring other ideas. It seems like a very solvable problem anyway.
That's a misconception: you don't "use" relays (in the sense that you don't have to have a static list of relays you always use), you write to relays. When reading you connect to the relays of whatever the people you want to read from.
Some apps indeed use this method of selecting a static set of relays, and if that was the protocol you would be correct about centralization or bloat, but this is legacy from a naïve unfinished early implementation, most apps do the correct thing now and the rest is transitioning.
Why can't these projects separate the use-cases from philosophies and from implementation when presenting them?
At first glance I don't understand what this is. Is it a social network? A protocol? "Pro-censorship? I need to read some blog article...
It's been like this with scuttlebutt/gossip, and rest of the alternative internet/fediverse with mastodont and activitypub and diaspora. Instead of asking questions like "How is this different than email? How does it compare to twitter?", I have to start with "What am I looking at? A technical implementation or a product? Is it a website or an app? What am I supposed to do with this?
There's also Urbit, which I'm sure not a single one of you can explain exactly what it is.
It's not as bad as "Web3", I'll give it that.
Bluesky got it right.
So did gemini to some extent.
Nostr is essentially a compromise between p2p and traditional web architectures. It cuts with the grain of the internet by using web servers, while reducing the dependence users have on servers by using keys for identity and digital signatures for authenticating data.
The effect is that users have "credible exit" (among other things), which has been discussed for years. This doesn't really create any new "use cases", which is why the use case is often described as "whatever, it's the new internet".
What it does do is introduce a very different set of trade-offs which favor user control over platform control (with the attendant UX trade-offs (or at least a different set of UX idioms)).
The reason the focus is on social is because that represents the majority of applications that do exist, the original motivation for building the protocol, and a value proposition (censorship resistance) that lots of people can relate to.
My "apolitical" shirt has people asking a lot of questions already answered by my shirt. What an odd word to use in the first sentence of your product description, which also includes the word "open", an inherently political concept in this context.
Did/does Nostr have some cryptocurrency connection or am I thinking of something else?
They explicitly don't have a "nostr coin" or do anything "on chain" which I applaud them for especially since the Venn Diagram of Nostr and the crypto community is basically a circle.
I concur and "apolitical" is probably not the best word. I think it is an attempt to convey that the platform can't ban people. It is resistant from infrastructure censorship. Here is an example specific use case:
My back-burner idea: the equivalents of Nostr relays, Mastodon instances, Discord servers, etc. needs to be self-hostable in client apps for decentralized social media to work.
Not only classical P2P software did exactly this, it worked/works beautifully. The only reason classical P2P software did not work and did not replace WWW as application was because of piracy prosecutions that makes users responsible for hosting data with unknown content that would be later revealed to users to have been pirated content that the user would be criminally responsible a la illegal substances through airport checkpoints.
That's bad - both the fact that users' passive actions are incriminating, and substances too. So the next-gen P2P would have to have plausible logging content filters such as AI-based CP and Hollywood detectors that would stop relaying of such content so that users can defend themselves in criminal courts. Or the systems could also be in-circle specific so nothing of value is lost if everyone in a terrorist group would be prosecuted together, though I imagine that could hamper network growth.
But fundamentally, I think the model has to be that all clients are also servers. That's the best way to decentralize a social media.
This is cool but P2P doesn't work. Iroh also relies on "relays" in a sense. Nostr makes that explicit and gives relays identities so they can freely enact policies instead of having to hack that in weird ways.
Glad to see Nostr on top of HN. It is in its infancy, but Nostr allows for "zapps" (basically sending instant micropayments via bitcoin-lightning) - so instead of using ads and dubious algorithms, you can show your appreciation to content creators by small payments. This is a model for an ad-free, decentralized social media system.
I almost want to sign up now because I read comments like this and it sounds abhorrent and stupid, but then I go click explore on the actual page, and the first page of stuff I see is people actually making and selling real stuff. Sure, they take payment in Bitcoin, but they're selling ghee and cacao and there's a community of people interested in alternative schooling. It's not "I'll show you my diary and you pay me for it" that you're describing here. Real goods and services, not "content."
Even if you don't use Nostr as a microblogging social network, it can provide a useful layer. For example Trystero https://oxism.com/trystero (MIT licensed) can use it to establish P2P WebRTC connections without requiring a central server.
Thats cool I have been thinking of using nostr , Bittorrent DHT and Mastadon as a cencership resistant multi channel redundant broadcast beakon. All methods must go down before your nodes can't find each other anymore.
This is very interesting. In a similar vein, I was wondering a while ago if either Nostr or ATProto could potentially work as part of a peer-to-peer instant messaging system, specifically as a way to have persistent storage and offline messaging. (But using it to establish connections is pretty clever, too.)
wow this is amazing. was thinking about whipping something similar for my own project but glad that someone had same problem before. saved me some time.
Something I don’t quite get about these new social networks that are clearly aimed at technical people: my model of a truly decentralized social network is more like a network of privately hosted personal websites, à la the original web. Not yet another platform I need to make an account to interact on separately.
Have there been any attempts to make more of a “network” that incentivizes operating personal websites but adds a mechanism for typical social media features like chat, a feed, etc. in a centralized way? The only thing I can think of is RSS, and that is only a way to follow content publication.
Some people say that labeling yourself apolitical is 1, a polticial statement 2, a privilege itself which puts you into a certain socio-political position
Last time I tried navigating the Nostr ecosystem I found their Twitter-equivalent platform and it was full of people posting about cryptocurrencies and other topics that weren't of particular interest to me.
Are there any major figures of interest primarily participating on any Nostr platform? Or is there any kind of uniquely interesting content that is being primarily produced and shared on Nostr?
I've revisited this idea/protocol a few times and still have my doubts:
* is there even a need for it? I would say that most people are quite happy with centralized platforms; I don't see it changing anytime soon (why?)
* wouldn't we end up in the centralized world anyways? Even though there could be multiple NOSTR clients and relays, we all know how network effect works - people will flock to a single or a few best ones; does it really change the situation that we have today - a few centralized platforms?
* I don't see clear incentives in this protocol that would improve current social media landscape - granted that I don't particularly like current ads/sell your attention model
I am not sure that having a protocol like this is better that having a few centralized platforms - today's situation. Not to even mention technical challenges and worse user experience that NOSTR brings
I still don't understand how Nostr would behave in this hypothetical scenario - a bad actor creates 100k key pairs (via residential proxies) and posts 10 LLM-generated replies to each new post. Who would fight with that wave of spam exactly and how?
Hope this doesn't come accross as rhetorical, it's a genuine question!
Nostr users, how does this differ in your experience from Mastodon? At first glance it seems like the same idea but with the extra ingredient of blockchain, I'm not sure what this adds though, anonymity?
I've tried to use it many times, through Damos on iOS, but it's littered with dead and abandoned projects and an alternative UI that worked one day, will just be gone later.
In the end the content I was seeing there was almost exclusively about Nostr and Crypto so it wasn't that interested to keep using it.
It would be cool if you could somehow form chains of trust with this, maybe even with links to other social media, where you could "follow other people that this guy has vetted". I want my social media censored and curated, but I want to choose my own censors and curators.
Nostr actually has web of trust (WoT) implementations. I think Coracle has this and some others. Nostur even lets you specify how far you want your web of trust to reach. Pretty cool stuff!
There is the concept of Data Vending Machines (DVMs) and curated follow lists now.
There’s also work on a Web of Trust in some clients that filters notes from people that don’t meet the WOT score. It’s essentially a weighted score based on who you follow and who they follow
The issue with all of these open social protocol is that they fail to grasp that they are built for entertainment, and hence the modulated emotional reactions are a feature not a bug.
Don't know much about Nostr, but wondered re the spam problem, if it would make sense to introduce the idea of proof-of-work for the identities? A quick search shows that the have optional PoW proposals for notes (i.e., individual posts), but I didn't see anything about PoW for identities.
People could spend $1, or $5, or $50 of compute for an identity, and others could use the cost of the identity as a filter. Having a $5 ID put on a blacklist would make poor behavior of any sort more costly.
Identity on nostr is just a public/private keypair.
You can enhance that identity by sending a kind0 (metadata) note with your name, bio, pictures. So i guess you're suggestion to add PoW for kind0 events which is covered by NIP13 too.
Yes, that makes sense and that can be used later by relays and clients in order to decide whether to store or display notes from identities. In fact that's a pretty good idea.
[+] [-] tptacek|6 months ago|reply
https://eprint.iacr.org/2025/1459.pdf
The vulnerabilities here are pretty :yikes:
* The event protocol that drives the system doesn't authenticate public keys, so asymmetric signatures are performative: attackers that can intercept messages (Nostr servers, the presumed adversary of an E2EE messaging system) can just swap out keys and re-sign.
* Two major clients, the mobile phone Damus app and the web Iris app, don't even verify signatures to begin with.
* DMs in this system are unauthenticated CBC, so attackers can simply bitflip messages and events to say what they want.
* The apps do automatic link-preview, so they've managed to reconstitute the EFAIL attack: attackers can locate links within messages (they'll be revealed by SNI and DNS anyways) and then bitflip them to point to attacker-controlled servers, exposing both the URLs (which will often contain tokens) and, with a bit of extra work, the message itself (by tacking `?foo=` onto a URL).
* There's no key separation in the system, so you can trick users into running a subprotocol other than the messaging system, then establishing a session key, which will then be used for messaging.
These are really basic errors; this is mid-aughts-level cryptographic engineering. There are probably a variety of other reasons to use Nostr, but end-to-end security does not appear to be one of them.
[+] [-] ursuscamp|6 months ago|reply
I haven't read that entire paper. Mainly, I skipped to the section you mention here:
> The event protocol that drives the system doesn't authenticate public keys, so asymmetric signatures are performative: attackers that can intercept messages (Nostr servers, the presumed adversary of an E2EE messaging system) can just swap out keys and re-sign.
I think you and the authors perhaps misunderstand the Nostr protocol. Nostr is, effectively, an identity system tied to a public key. The cryptography is sound. Your identity is your public key. When you request a user's profile, or their events, you request it specifically by their public key. That is unforgeable (assuming no bugs in the implementation, like what the authors found in Damus).
This does present UX issues that can manifest as security issues, such as "how can you verify that a user with a certain public is who they say they are instead of an impostor". That is a separate issue from whether the cryptography itself is sound.
[+] [-] fiatjaf|6 months ago|reply
The fact is that clients do verify signatures from events received from servers, that is in the protocol specification and should be obvious to anyone mildly honest.
The entire assumption of the paper is that clients don't do that and it is void. Yes, they did find a couple of clients 2 years ago that didn't verify signatures -- so much for a vulnerability in the protocol. I guess they wanted Nostr to have a code police arresting client developers who didn't finish their implementation?
Aside from that the attacks they demonstrated depend on a bunch of other absurd circumstances (like you have to manually and voluntarily type the URL of the attacker server in order to be attacked) but it's not even worth talking about them since the basic assumption is so completely false already.
The encrypted messages stuff is not even a core part of Nostr anyway, Nostr is a broadcasting protocol for public or semi-public content. Encryption can be added on top and there are multiple ways and proposals for how to do it, including an implementation of MLS and other methods and I personally mostly do not care about any.
I wish the paper authors were more honest and republished their work with the title: "the dangers of trusting a cryptographic signature without verifying it", but I imagine that it would have been too obvious and worthless if it was phrased like that.
[+] [-] jb55|6 months ago|reply
This is completely nonsense, most clients do in fact check signatures. All relays do as well.
> Two major clients, the mobile phone Damus app and the web Iris app, don't even verify signatures to begin with.
Author of Damus here. this is an analysis of an old version. This has since been fixed. In the early days we connected to a fixed relay list of trusted relays. These relays verified signatures. This was just a pragmatic tradeoff thing until we had an optimized work queue for verifying notes (this lead to nostrdb, a custom embedded nostr database built on lmdb. it's a sqlite but for nostr https://github.com/damus-io/nostrdb)
> DMs in this system are unauthenticated CBC, so attackers can simply bitflip messages and events to say what they want.
not really true since the whole note is covered by a secp256k1 signature.
> The apps do automatic link-preview, so they've managed to reconstitute the EFAIL attack: attackers can locate links within messages (they'll be revealed by SNI and DNS anyways) and then bitflip them to point to attacker-controlled servers, exposing both the URLs (which will often contain tokens) and, with a bit of extra work, the message itself (by tacking `?foo=` onto a URL).
you can turn off these, you can turn off images as well. people should run a VPN of course if they are worried about these things.
[+] [-] irq-1|6 months ago|reply
https://hellonostr.dev/en/introduction/
The encoding seems to have an unmentioned/unaddressed version number included, both in the nostr doc and the bitcoin docs.
npub1abcxyz... is npub (header) 1 (version) abcxyz... (key)
Now take a look at the doc (linked above.)
[+] [-] jonstaab|6 months ago|reply
[+] [-] Imustaskforhelp|6 months ago|reply
[+] [-] dbushell|6 months ago|reply
The end result is a bad experience for both user and developer. Using a single relay is centralised and defeats the point. Using multiple relays is slow and cumbersome and requires the user to know/care which relays they are connecting to.
When I played with Nostr a couple years ago the "NIPs" were already a complete mess. Later NIPs supersede earlier NIPs changing how clients are supposed to interpret messages. At least some are flagged as "unrecommended: deprecated" now.
[+] [-] sebastix|6 months ago|reply
I'm running an indexer (a relay) which federates with other relay indexers. Similar how activitypub relays work. Any client can connect to indexer to help bootstrapping and find metadata around events. There are many ways to discover stuff from clients even without being connected to the same relay.
[+] [-] t1E9mE7JTRjf|6 months ago|reply
[+] [-] fiatjaf|6 months ago|reply
Some apps indeed use this method of selecting a static set of relays, and if that was the protocol you would be correct about centralization or bloat, but this is legacy from a naïve unfinished early implementation, most apps do the correct thing now and the rest is transitioning.
[+] [-] lxe|6 months ago|reply
At first glance I don't understand what this is. Is it a social network? A protocol? "Pro-censorship? I need to read some blog article...
It's been like this with scuttlebutt/gossip, and rest of the alternative internet/fediverse with mastodont and activitypub and diaspora. Instead of asking questions like "How is this different than email? How does it compare to twitter?", I have to start with "What am I looking at? A technical implementation or a product? Is it a website or an app? What am I supposed to do with this?
There's also Urbit, which I'm sure not a single one of you can explain exactly what it is.
It's not as bad as "Web3", I'll give it that.
Bluesky got it right. So did gemini to some extent.
[+] [-] jonstaab|6 months ago|reply
The effect is that users have "credible exit" (among other things), which has been discussed for years. This doesn't really create any new "use cases", which is why the use case is often described as "whatever, it's the new internet".
What it does do is introduce a very different set of trade-offs which favor user control over platform control (with the attendant UX trade-offs (or at least a different set of UX idioms)).
The reason the focus is on social is because that represents the majority of applications that do exist, the original motivation for building the protocol, and a value proposition (censorship resistance) that lots of people can relate to.
[+] [-] baobun|6 months ago|reply
[+] [-] rgreeko42|6 months ago|reply
Did/does Nostr have some cryptocurrency connection or am I thinking of something else?
[+] [-] itslennysfault|6 months ago|reply
[+] [-] tegiddrone|6 months ago|reply
https://how-nostr-works.pages.dev/
I find that example pretty humorous... Damn, what kind of controversy is Pamela spreading?
I like it but feel nervous that there is synergy with the bitcoin space. Hype and validation is thick in that space
[+] [-] skeptrune|6 months ago|reply
[+] [-] Retinal7467|6 months ago|reply
[+] [-] numpad0|6 months ago|reply
Not only classical P2P software did exactly this, it worked/works beautifully. The only reason classical P2P software did not work and did not replace WWW as application was because of piracy prosecutions that makes users responsible for hosting data with unknown content that would be later revealed to users to have been pirated content that the user would be criminally responsible a la illegal substances through airport checkpoints.
That's bad - both the fact that users' passive actions are incriminating, and substances too. So the next-gen P2P would have to have plausible logging content filters such as AI-based CP and Hollywood detectors that would stop relaying of such content so that users can defend themselves in criminal courts. Or the systems could also be in-circle specific so nothing of value is lost if everyone in a terrorist group would be prosecuted together, though I imagine that could hamper network growth.
But fundamentally, I think the model has to be that all clients are also servers. That's the best way to decentralize a social media.
[+] [-] woile|6 months ago|reply
https://www.iroh.computer/docs/concepts/relay
[+] [-] fiatjaf|6 months ago|reply
[+] [-] sak5sk|6 months ago|reply
[+] [-] digitalbase|6 months ago|reply
https://asknostr.site/
I hope this demonstrates how a distributed social protocol can solve many use cases and the advantage to the end-user:
- do not get rugpulled by (VC backed) companies that own your data
- receive zaps/money by contributing
- data is truely available to everyone (but signed by author)
[+] [-] littlecranky67|6 months ago|reply
[+] [-] nonameiguess|6 months ago|reply
[+] [-] throwaway290|6 months ago|reply
Nostr has existed for at least 5 years. I remember people migrate there and promote it on Twitter during pandemic. Infancy?
[+] [-] anon1395|6 months ago|reply
[+] [-] stillsut|6 months ago|reply
We've been hosting some bounties like this one here: https://app.lightningbounties.com/issue/615dc5f7-ed91-4ecd-8...
[+] [-] Tepix|6 months ago|reply
[+] [-] scirob|6 months ago|reply
[+] [-] jchw|6 months ago|reply
[+] [-] zenmac|6 months ago|reply
Can this forgo needing the STUN/TURN server? If this is the case then it is huge!
[+] [-] vincnetas|6 months ago|reply
[+] [-] keiferski|6 months ago|reply
Have there been any attempts to make more of a “network” that incentivizes operating personal websites but adds a mechanism for typical social media features like chat, a feed, etc. in a centralized way? The only thing I can think of is RSS, and that is only a way to follow content publication.
[+] [-] thrownawaysz|6 months ago|reply
Some people say that labeling yourself apolitical is 1, a polticial statement 2, a privilege itself which puts you into a certain socio-political position
[+] [-] TheAceOfHearts|6 months ago|reply
Are there any major figures of interest primarily participating on any Nostr platform? Or is there any kind of uniquely interesting content that is being primarily produced and shared on Nostr?
[+] [-] BinaryIgor|6 months ago|reply
* is there even a need for it? I would say that most people are quite happy with centralized platforms; I don't see it changing anytime soon (why?)
* wouldn't we end up in the centralized world anyways? Even though there could be multiple NOSTR clients and relays, we all know how network effect works - people will flock to a single or a few best ones; does it really change the situation that we have today - a few centralized platforms?
* I don't see clear incentives in this protocol that would improve current social media landscape - granted that I don't particularly like current ads/sell your attention model
I am not sure that having a protocol like this is better that having a few centralized platforms - today's situation. Not to even mention technical challenges and worse user experience that NOSTR brings
[+] [-] iberator|6 months ago|reply
AFIK Freenet is the only truly resilient anonymous network that lasted +20 years without literally a single successful attack by the state actor.
It's like RAID over the internet over encryption with global replication of data. Amazing project for PHD thesis lol
1: https://en.m.wikipedia.org/wiki/Hyphanet
[+] [-] r721|6 months ago|reply
[+] [-] benrutter|6 months ago|reply
Nostr users, how does this differ in your experience from Mastodon? At first glance it seems like the same idea but with the extra ingredient of blockchain, I'm not sure what this adds though, anonymity?
[+] [-] dewey|6 months ago|reply
In the end the content I was seeing there was almost exclusively about Nostr and Crypto so it wasn't that interested to keep using it.
[+] [-] Ambolia|6 months ago|reply
[+] [-] sak5sk|6 months ago|reply
[+] [-] HuwFulcher|6 months ago|reply
There’s also work on a Web of Trust in some clients that filters notes from people that don’t meet the WOT score. It’s essentially a weighted score based on who you follow and who they follow
[+] [-] zenmac|6 months ago|reply
[+] [-] philip1209|6 months ago|reply
[+] [-] gwd|6 months ago|reply
People could spend $1, or $5, or $50 of compute for an identity, and others could use the cost of the identity as a filter. Having a $5 ID put on a blacklist would make poor behavior of any sort more costly.
[+] [-] digitalbase|6 months ago|reply
Identity on nostr is just a public/private keypair.
You can enhance that identity by sending a kind0 (metadata) note with your name, bio, pictures. So i guess you're suggestion to add PoW for kind0 events which is covered by NIP13 too.
[+] [-] fiatjaf|6 months ago|reply