reply on: Not in The Prophecies: Practical Attacks on Nostr \ stacker news ~nostr

pull down to refresh

100 sats \ 5 replies \ @ek OP 7 Aug \ on: Not in The Prophecies: Practical Attacks on Nostr nostr

If I understand this right, this doesn't allow you to recover the plaintext for any message. It must be a link or not contain any whitespace.

It works by changing the first encrypted block of a message into a link to the attacker's server, and when the recipient's client fetches the link preview, it appends the rest of the message to the URL, but only up to the next whitespace.

Cool, but not arbitrary plaintext recovery afaict

100 sats \ 4 replies \ @optimism 7 Aug

This only works when message signature isn't verified?

100 sats \ 3 replies \ @ek OP 7 Aug

Mhh, good point, I would think so

But if the client uses cache-after-verify, then it won't verify the signature again for the same event id

100 sats \ 2 replies \ @optimism 7 Aug

Based on my understanding of NIP-59, the correct approach for unwrap, unseal, render would be:

Check the sig on the kind 1059 (and the p tag), if no match against the given pubkey then discard because it's spoofed.
Decrypt the content of the kind 1059, this results in a json string of a kind 13 and not an url.
Check pubkey to be a known sender and then the sig on the decrypted kind 13 message to match that key, if no match then then discard ¹ - you now have authenticated the entire message including pubkey and content to be from a known contact.
Decrypt the sealed kind n (often kind 14) from the previously decrypted kind 13, which isn't signed, but that's ok because we've authenticated the seal.

Relevant: Moxie's cryptographic doom principle

PS: Always turn off link previews if you can, and if you can't just realize you don't have any privacy.

Re:

But if the client uses cache-after-verify

Cache what? That any message from a pubkey no longer needs to be verified? What's this feature?

And notify your contact and everyone that wants to listen because this is a spoofing attack! Be the Karen! ↩

100 sats \ 1 reply \ @ek OP 7 Aug

Re:

But if the client uses cache-after-verify

Cache what? That any message from a pubkey no longer needs to be verified? What's this feature?

It's a vulnerable performance optimization. See Q4 in FAQ above:

When caching events, first verify them successfully and re-compute the id from the event payload each time you load it; do not rely solely on a relay-supplied or previously cached id. Vulnerable clients followed the “cache-after-verify” rule but still failed integrity checks because they cached only the id and skipped this re-computation step.

75 sats \ 0 replies \ @optimism 7 Aug

I think the main cause of this is the hash being included in the message. That's the design error that puts bad ideas into people's heads.

I guess they kind of address it but probably the best thing would be to delete it from the message altogether.

Footnotes