calle 👁️⚡👁️ on Nostr: NWS works with and without encrypted transport. There are lots of different flavors ...
NWS works with and without encrypted transport. There are lots of different flavors to explore.
When used without encryption, the entry node must be run by the user themselves because public entry nodes would be able to listen in otherwise. Two options in those cases: run the entry node locally in tandem with your (unmodified) client, or skip the entry node and modify the client so that data is sent through nostr to the exit node directly (the client is the entry node).
When used with encryption, the entry node can also be public. If the encryption doesn't rely on certificate authorities, it just works. You have to make sure you're talking to the right person, but that problem is as old as computer science. For example, ssh will ask you to confirm the fingerprint of the server when you connect.
If the encryption is https and the certificate was issued for a normal domain, your browser will complain (do you trust this website?) and the user will have to say "let me pass, even if insecure". Without ugly hacks (issuing your own root cert for example), I don't know ways to circumvent this. Note that Tor services doen't support https and they don't have to since transport is always Sphinx-encrypted (even hidden from the entry node).
How do you make sure you're talking to the right server if you use https? Couldn't the entry node just send your traffic somewhete else? We can actually do something that is unique to Nostr here: the exit node can publish its own TLS certificate on nostr and sign it. That's right, you don't need an authority to do that for you if you remain within the NWS system. Clients can fetch the cert from nostr before talking to the entry node and verify against that cert.
Here is another cool part that we haven't talked about yet: the exit node can also be configured to reach the global Internet and not only a local service (we call this NWS v2). In those cases, NWS can be used a bit like a VPN. You can type "https google dot com" in your browser and your encrypted traffic would flow from your machine to the entry node, to the exit node, then to Google and back to you. on those cases, nobody complains about the certificate because everything is fine.
Exciting shit. Gm.
Published at
2024-07-23 07:02:07Event JSON
{
"id": "9771f9da93a19354b262e670bf8169a797179adb67ad33a0c71889d8cd2b1968",
"pubkey": "50d94fc2d8580c682b071a542f8b1e31a200b0508bab95a33bef0855df281d63",
"created_at": 1721718127,
"kind": 1,
"tags": [],
"content": "NWS works with and without encrypted transport. There are lots of different flavors to explore. \n\nWhen used without encryption, the entry node must be run by the user themselves because public entry nodes would be able to listen in otherwise. Two options in those cases: run the entry node locally in tandem with your (unmodified) client, or skip the entry node and modify the client so that data is sent through nostr to the exit node directly (the client is the entry node).\n\nWhen used with encryption, the entry node can also be public. If the encryption doesn't rely on certificate authorities, it just works. You have to make sure you're talking to the right person, but that problem is as old as computer science. For example, ssh will ask you to confirm the fingerprint of the server when you connect.\n\nIf the encryption is https and the certificate was issued for a normal domain, your browser will complain (do you trust this website?) and the user will have to say \"let me pass, even if insecure\". Without ugly hacks (issuing your own root cert for example), I don't know ways to circumvent this. Note that Tor services doen't support https and they don't have to since transport is always Sphinx-encrypted (even hidden from the entry node).\n\nHow do you make sure you're talking to the right server if you use https? Couldn't the entry node just send your traffic somewhete else? We can actually do something that is unique to Nostr here: the exit node can publish its own TLS certificate on nostr and sign it. That's right, you don't need an authority to do that for you if you remain within the NWS system. Clients can fetch the cert from nostr before talking to the entry node and verify against that cert. \n\nHere is another cool part that we haven't talked about yet: the exit node can also be configured to reach the global Internet and not only a local service (we call this NWS v2). In those cases, NWS can be used a bit like a VPN. You can type \"https google dot com\" in your browser and your encrypted traffic would flow from your machine to the entry node, to the exit node, then to Google and back to you. on those cases, nobody complains about the certificate because everything is fine.\n\n\nExciting shit. Gm.",
"sig": "d0db9c93838ee0622ac27fbcb5ca966112114c66f7d360c1a838d0a8a5e245312fb416b9f270e339579f871ed34ceb5c8bd3979247364111514b072f9502f9de"
}