pull down to refresh
We also show how a lack of signature checks in many clients—whether due to outright skipped verification
Afaik, Primal is guilty of this. Their client does not verify signatures.
That seems bad. In my ignorance, does this mean someone could post a note claiming to be x npub without having the private keys to x npub?
No, their client only connects to their own server by default and the server crawls relays and caches notes. I assume they verify signatures there.
The problem is that Primal controls the server so they could fake notes from anyone.
Afaik, Primal is guilty of this. Their client does not verify signatures.