Ya the thing is, you don't need to trust relays, you get a message from them and you verify the sig. Case closed. All the relay can do is send or not send, accept your event or not accept. Even if the relay has a man in the middle it doesn't matter, the sig won't match if there is any tampering.
BUT without signature validation this all goes out the window and we are back to square one. I am very surprised by this and I just looked at amethyst code and I don't see it checking either.. 🤯 doesn't take much imagination to see how easy it would be to fool the masses during this adoption phase and assume anyone's identity.
The web clients, they gotta be checking this right?!... Guess it's not very sovereign of me to not be aware of this, not read the code, and just assume it's a basic nostr principle in all clients to check sigs. Got some catch-up to do..
cloud fodder
npub10n…ztl5h
2023-02-15 00:40:34
in reply to nevent1q…ss9k
Author Public Key
npub10npj3gydmv40m70ehemmal6vsdyfl7tewgvz043g54p0x23y0s8qzztl5hPublished at
2023-02-15 00:40:34Event JSON
{
"id": "0869efd4a91f31fe1468b4bf71b632c399760fe72a2964e0657bfbb475590624",
"pubkey": "7cc328a08ddb2afdf9f9be77beff4c83489ff979721827d628a542f32a247c0e",
"created_at": 1676421634,
"kind": 1,
"tags": [
[
"e",
"909f741bf7ff4463466093f42c9a805672308d63442092baf211bc182b89355b"
],
[
"e",
"9bad60869763e3a0a93cd0fbe1dbe9d3f01f5db57311aad15efc57587abee0d2"
],
[
"e",
"c05171aa58ed1dc5d087ac1e05e6002839e949283b72fa2db67891d4132c2b13"
],
[
"p",
"15e727b91083770e2ac6136f1caa3ec6e5a8206de515cbc41509017f3d21acd6"
],
[
"p",
"7cc328a08ddb2afdf9f9be77beff4c83489ff979721827d628a542f32a247c0e"
],
[
"p",
"32e1827635450ebb3c5a7d12c1f8e7b2b514439ac10a67eef3d9fd9c5c68e245"
],
[
"p",
"7cc328a08ddb2afdf9f9be77beff4c83489ff979721827d628a542f32a247c0e"
],
[
"p",
"82d70f9685eabec271201bacd1fc1941e9686a9bf2b686c381a5b662f60002b1"
]
],
"content": "Ya the thing is, you don't need to trust relays, you get a message from them and you verify the sig. Case closed. All the relay can do is send or not send, accept your event or not accept. Even if the relay has a man in the middle it doesn't matter, the sig won't match if there is any tampering.\n\nBUT without signature validation this all goes out the window and we are back to square one. I am very surprised by this and I just looked at amethyst code and I don't see it checking either.. 🤯 doesn't take much imagination to see how easy it would be to fool the masses during this adoption phase and assume anyone's identity.\n\nThe web clients, they gotta be checking this right?!... Guess it's not very sovereign of me to not be aware of this, not read the code, and just assume it's a basic nostr principle in all clients to check sigs. Got some catch-up to do..",
"sig": "bdcc8d9249591b58985781ca78ad272d3bff4996c28f68abdf5530ca2bb6e8bcea15d2f35fcd86f82fd3470b9b379d799cda130080794addbbfed904c79f104a"
}