Nostr hacker sitting at a laptop

Nostr is the latest in decentralized protocol advancement. By definition nostr is “a decentralized network based on cryptographic keypairs and that is not peer-to-peer, it is super simple and scalable and therefore has a chance of working”.

With all new protocols comes new security and privacy concerns that end users should be aware of in order to protect themselves, their information, and ultimately - their identity.

Findings

Private Keys

Most nostr impementations currently use a single signature private key generated inside the web browser. In order to use nostr based web applications users must copy and paste private keys into clients in plain text. If someone else obtains your private key, they can potentially access and take control of your nostr keypair and account.

Encrypted DM Metadata

While nostr offers the ability to send encrypted DMs to user pubkeys, the metadata of these messages are broadcast publicly via relays. This is the same as a bitcoin transaction being viewable on the public ledger. The contents of the direct message will be encrypted, but other metadata like the sender and recipient can be viewed by anyone.

Cross Site Scripting (XSS)

Cross-site scripting (XSS) is a type of cyber attack that involves injecting malicious code into a website or web application. This code is typically executed in the context of the affected website, allowing the attacker to perform a variety of malicious actions, such as stealing sensitive data, manipulating the website’s content or functionality, or redirecting users to malicious websites.

One way that XSS attacks can be introduced is through nostr notes and links. For example, an attacker could create a note that contains malicious code and share it via a relay. Since nostr is decentralized, anyone can choose to write a front end client that parses the malicious note for viewing. If a user is using a vulnerable client and clicks on the note their web browser may execute the code and the attack may be successful.

IP Address

Relay operators can see the IP address of a nostr user when a user adds and connects to their relay. An IP address is a unique numerical label assigned to every device connected to the internet, and it is used to identify and communicate with that device.

When a user connects to a relay, the relay can see the IP address of that device and use it to track and monitor its activity. Relay operators may use this information for various purposes, such as tracking user behavior, analyzing traffic patterns, and detecting and preventing security threats.

It is important for users to be aware of this, as a user IP address can reveal information about their location and online activity. IP addresses also provide attackers with a direct line to you for attack enumeration and vulnerability profiling.

Impersonation

Public and private keypairs function as both the authentication mechanism and identity of a user. As identity is not tied to a unique username, any user can generate a keypair and set their username and picture to anything they want. This can cause instances of fraud, identity theft, damage to reputation, and harassment.

Images and Media

Images and media content on nostr is generally hosted on servers remotely, as opposed to company servers that are controlled by an organizational entity. As such, any user may host and link content from servers they control. This can open up privacy concerns and information leakage.

In the process, the server can see your IP address and other information about your device, such as the type of browser and operating system being used. This information may be collected and stored by the server owner or operator for various purposes, such as tracking user behavior, analyzing traffic patterns, and targeting users with ads.

Pixel Tracking

Pixel tracking is a technique used by website owners and advertisers to track and collect information about users’ online behavior. It involves inserting small, transparent pixels, also known as web beacons, into images or other media on a nostr note or profile image.

When a user views the image or note containing the pixel, the pixel sends a request to a server to retrieve the image and record the user’s IP address and other information about the device, such as the type of browser and operating system being used.

EXIF Data

EXIF data, or Exchangeable Image File Format data, is metadata that is embedded in a photo or image file. This metadata can include information about the camera used to take the photo, the settings used, the date and time the photo was taken, and other details.

EXIF data can potentially compromise a user’s privacy in a number of ways. For example, if a user shares a photo on a nostr platform that includes their location data in the EXIF data, it may be possible for someone to determine the exact location where the photo was taken. EXIF data can also include personal information, such as the owner of the camera or the software used to edit the photo.

Defenses

Private Key Management

Extensions such as nos2x and Alby can help users to manage and store their private key material. This is currently the best solution while hardware wallet and signing device manufacturers incorporate further private key security, such as master keys, multi-signature schemas, and other key enhancements.

Use Tested Clients and Front Ends

To protect against XSS attacks, it is important for website and web application developers to implement proper input validation and sanitization, and for users to be cautious when clicking on links or interacting with unfamiliar content on nostr.

VPN and TOR

Users can use a virtual private network (VPN) and/or the onion routing (TOR) network to mask their IP address and encrypt their internet connection which helps protect privacy when connecting and interacting with relays, links, and content in notes.

Use Trusted Known Relays

Using known and trusted relays will help provide users with the conduit they need for interacting with nostr notes and events. Honeypot relays, ransomed notes/events, and information gathering relays will have a larger deployment footprint as the network grows and scales.

Users that require the utmost privacy will choose to run their own relays. Note that this may result in orphaned messages depending on the architecture and lifetime of the self-hosted relay.

Verify NIP-05

NIP-05 is a nostr improvement that maps nostr keys to DNS-based internet identifiers. This means that website and domain owners can provide a DNS record on their website which helps to confirm their identity. Various nostr clients and front ends will display NIP-05 verification status on user profiles which helps to provide a greater sense of confidence in user identity.

Note: this is not a be-all-end-all control as servers providing NIP-05 verification can be compromised. Paid services also exist providing NIP-05 verification and these services may use their own forms of (or no) identity verification.

Scrub Image EXIF Data

Users should be aware of the EXIF data that is included in the photos they share online and consider removing or obscuring this data if necessary. Users should also be aware of which image hosting sites scrub and remove EXIF data and which do not. Some photo editing software and smartphone apps allow users to remove EXIF data from photos before sharing them online.

Users should never be clicking unsolicited links posted in notes. Unsolicited links can result in off-client phishing attacks, malware downloads, and scams.

To protect against these types of attacks, it is important for users to be cautious when clicking on unsolicited links and to verify the identity and intent of the sender before interacting with the link.