LONG POST Addressing Everything
(TLDR AT THE BOTTOM)
The problem is that this is HUGE PII. Imagine that everything you post is linked to a location that is almost where you live. Like c'mon imagine being in a surveillence state. That state knows you're using Nostr, but not what you post. They can spin up a malicious relay and track the location of every poster not using a VPN. They can specifically look at Chinese or Russian IPs to target a user. It is a terrible practice in general to have your IP linked to the personal info you might post. There are plenty if cases where criminals track social media posts to social engineer you, now they have your IP to craft an easier attack.
You will see people say your IP is public info, but this is worse on Nostr for a few reasons. In most cases, only your ISP and the website will have access to your IP. Like on Twitter and Mastodon/Bluesky they will know your IP. No one knows your IP on Twitter besides Twitter and your ISP. On Mast/Blue only the server you signed up to will know your IP and your ISP.
If a malicious server leaked a bunch of IPs everyone would simply leave and defederate that server. It takes a very long time to build up your mastodon server audience and the operator would be throwing that away if they leak everyone's IP. This is mosy likely rare on any servers that host more than 500 members, but users might be effected if they use an unknown server with around 30 members. A malicious activity pub server can fully track your IP and might abuse it, but the difference is that this is not easily open to the public.
Now on Nostr, anyone can spin up a relay. You do not know if it's malicious or not. A relay can end up being extremely popular to the point where everyone has added it. This is what happened here, we all blindly trusted that this relay is honest and they ended up leaking everything. You cannot easily do this on Twitter or Mastodon because it will become extremely obvious that this person is leaking your IP.
We do not and will still likely never know which relay operator is leaking our IPs, and that is the most dangerous part. Rather than 1 or 2 providers we trust with out IP we are now trusting 12-24 relays with our personal information.
The nostr community needs to stop pretending like this isn't a gigantic issue and how this is the same for any other website.
Like any social media, Nostr isn't perfect because of the number of servers we need to trust to get it working. Mastodon and Bluesky have the problem of trusting one operator (Bluesky fixes this by letting you switch easily).
TLDR: Your IP being public on Nostr is different from most websites. You entrust 12-24 relay providers with your IP and any of them can be malicious. You are adding more and more parties to trust and it isn't easy to verify that these are all trustworthy. If you have too little relays you cannot access everyone's post. This is a BIG problem on Nostr and we need to address it and not pretend like it isn't an issue.
Nostr is a great platform and the best social media community I've ever been apart of, but I cannot in good faith tell my friends that they will be secure on this platform.
This took some time to make so if you enjoyed reading or learned something new please retweet or like so others can see ❣️
#ipleak #grownostr #coffeechain #bitcoin #gm
hola
npub104…h6k5e
2024-01-21 03:29:54
in reply to nevent1q…rv73
Author Public Key
npub1048g4wtvsl0zcku2pwumrle0hexl548uxvlg459mnjug6r6wje0qah6k5ePublished at
2024-01-21 03:29:54Event JSON
{
"id": "4aee5d4d13304490678b549bd0b6623d2ea4f28e5b8f25d945aaac19fbf7a7bc",
"pubkey": "7d4e8ab96c87de2c5b8a0bb9b1ff2fbe4dfa54fc333e8ad0bb9cb88d0f4e965e",
"created_at": 1705807794,
"kind": 1,
"tags": [
[
"e",
"bdb0b6cd1077bbc1a63a6f413d1b8064820fe7a266bf458be703e54bc3aeb789",
"",
"root"
],
[
"e",
"a269d2bcacd40bdccd3939f6254687a78034e437b234b30ff3d6e060256bde29"
],
[
"e",
"0edd9304bbfa6f999e82017acfff0a01a925be3b8cbe189862e217a8d6cb1f1e",
"",
"reply"
],
[
"p",
"cfe3b4316d905335b6ce056ba0ec230b587a334381e82bf9a02a184f2d068f8d"
],
[
"p",
"3d842afecd5e293f28b6627933704a3fb8ce153aa91d790ab11f6a752d44a42d"
],
[
"p",
"460c25e682fda7832b52d1f22d3d22b3176d972f60dcdc3212ed8c92ef85065c"
],
[
"p",
"52b4a076bcbbbdc3a1aefa3735816cf74993b1b8db202b01c883c58be7fad8bd"
],
[
"p",
"8d7e9c016e78dc20e48a7c384cf9123642a5c35fb833b0fb1515cd93ca12555c"
],
[
"p",
"32e1827635450ebb3c5a7d12c1f8e7b2b514439ac10a67eef3d9fd9c5c68e245"
],
[
"t",
"ipleak"
],
[
"t",
"ipleak"
],
[
"t",
"grownostr"
],
[
"t",
"grownostr"
],
[
"t",
"coffeechain"
],
[
"t",
"coffeechain"
],
[
"t",
"bitcoin"
],
[
"t",
"bitcoin"
],
[
"t",
"gm"
],
[
"t",
"gm"
]
],
"content": "LONG POST Addressing Everything\n\n(TLDR AT THE BOTTOM) \n\nThe problem is that this is HUGE PII. Imagine that everything you post is linked to a location that is almost where you live. Like c'mon imagine being in a surveillence state. That state knows you're using Nostr, but not what you post. They can spin up a malicious relay and track the location of every poster not using a VPN. They can specifically look at Chinese or Russian IPs to target a user. It is a terrible practice in general to have your IP linked to the personal info you might post. There are plenty if cases where criminals track social media posts to social engineer you, now they have your IP to craft an easier attack.\n\nYou will see people say your IP is public info, but this is worse on Nostr for a few reasons. In most cases, only your ISP and the website will have access to your IP. Like on Twitter and Mastodon/Bluesky they will know your IP. No one knows your IP on Twitter besides Twitter and your ISP. On Mast/Blue only the server you signed up to will know your IP and your ISP. \n\nIf a malicious server leaked a bunch of IPs everyone would simply leave and defederate that server. It takes a very long time to build up your mastodon server audience and the operator would be throwing that away if they leak everyone's IP. This is mosy likely rare on any servers that host more than 500 members, but users might be effected if they use an unknown server with around 30 members. A malicious activity pub server can fully track your IP and might abuse it, but the difference is that this is not easily open to the public.\n\nNow on Nostr, anyone can spin up a relay. You do not know if it's malicious or not. A relay can end up being extremely popular to the point where everyone has added it. This is what happened here, we all blindly trusted that this relay is honest and they ended up leaking everything. You cannot easily do this on Twitter or Mastodon because it will become extremely obvious that this person is leaking your IP. \n\nWe do not and will still likely never know which relay operator is leaking our IPs, and that is the most dangerous part. Rather than 1 or 2 providers we trust with out IP we are now trusting 12-24 relays with our personal information.\n\nThe nostr community needs to stop pretending like this isn't a gigantic issue and how this is the same for any other website.\n\nLike any social media, Nostr isn't perfect because of the number of servers we need to trust to get it working. Mastodon and Bluesky have the problem of trusting one operator (Bluesky fixes this by letting you switch easily).\n\nTLDR: Your IP being public on Nostr is different from most websites. You entrust 12-24 relay providers with your IP and any of them can be malicious. You are adding more and more parties to trust and it isn't easy to verify that these are all trustworthy. If you have too little relays you cannot access everyone's post. This is a BIG problem on Nostr and we need to address it and not pretend like it isn't an issue.\n\nNostr is a great platform and the best social media community I've ever been apart of, but I cannot in good faith tell my friends that they will be secure on this platform.\n\nThis took some time to make so if you enjoyed reading or learned something new please retweet or like so others can see ❣️\n\n#ipleak #grownostr #coffeechain #bitcoin #gm ",
"sig": "9fb217589177ff9b7c4c6aab1628a192f775e5cf31d6625173e623b056ce88bb7d6ba88a4de9d37b8fb846fed3d998cc817da65756b06ee0d5e956ec9bd4fb97"
}