faq: general security/privacy issues

[ghost]

Hello everyone!

I would like someone to clarify my general doubts. Recently, search all over the internet about nostr. And I found several experiences or issues, which I will report here. I have a list of 15 questions regarding the nostr protocol. So, could someone help me? Could anyone answer any of these questions?

issues

1. It is an unknown or little known network protocol, there are few solutions available in nostr

2. Many email features are not present in nostr. For example not all nostr apps have message filters

3. There are few servers, relays to send and receive messages, which is a danger to data protection and security for many users

4. Although nostr is an alternative to Twitter, there are still no “official measures” to control content sharing or moderate content. This can be dangerous, as each country, region or state has certain laws, rights, duties, obligations or responsibilities that are different in legal terms

5. Although the nostr protocol has a theoretical model for preventing spam with paid content, this is not applicable in most cases

6. "Deleting a certain content that you wrote wrong is something that is not possible in nostr. For example, let’s assume that you wrote a message with some misspelling, as the message was sent, it is not possible to re-edit the message and send the spelling correction, as most nostr clients could have sent the message with the misspelling, which makes it impossible for you to cancel a message already sent"

7. "Privacy, anonymity, security is complicated in the nostr protocol. For example, there are no proposals for tor-like networks, vpn, proxy or firewalls to make the encapsulation of message routes in nostr even more secure, transparent, private and anonymous. It may be that a nostr server registers the number of ips or regions from which you most access"

8. "There are no media types in nostr. This is bad, because when you write messages in emails, you could send .pdf, .txt, etc. files. There are proposals in nostr+ipfs to solve the problem of multimedia files in nostr, but nostr+ipfs is not an official proposal yet

9. "Not all nostr protocol improvement proposals are accepted. There are proposals for improvement in the nostr protocol that have not yet been accepted"

10. "Things like PGP(Pretty Good Privacy), GPG(Gnu Privacy Guard), OpenPGP are used in email to encrypt the content of messages. However, nostr only has public and private keys, usually the message content in nostr is not encrypted, it will depend on the solution that uses nostr to encrypt the message content or not"

11. "If you lose your private key, someone can impersonate you or you will never have access to the account again. Things like email, you can recover your password."

12. "Email security and content moderation is very easy, you usually only receive emails from people you trust or want. One problem with nostr is that the public key is replicated to different servers, so you may receive messages from unknown people you have no contact with."

questions

1. How can these issues be resolved?
2. How can I prevent people from using my public key to get my contact information?
3. What are the pros and cons of nostr?
4. What are the advantages and the disadvantages of nostr?
5. Why can't I delete an event in nostr?
6. Why is it not possible to delete my messages or keys in nostr?
7. Why some solutions in nostr don't allow to delete keys and messages?
8. How can I develop things in nostr?
9. Where can I find things like sdk or toolkit to develop things in nostr?
10. Why do you all think it can be an alternative to Twitter, ActivityPub, SSB (Secure Scuttlebutt)?
11. Is this protocol secure? is it private?
12. What happens if I want to report content that I believe is wrong?
13. How can I report content that I believe is bad on nostr?
14. Why use nostr instead of IPFS?
15. What are the use cases where nostr cannot or should not be used?

[gourcetools]

5. You can delete an event. https://github.com/blakejakopovic/nostr_delete
6. You can do so if relays and clients support the report feature.
7. SAME SAME
8. none

[ghost]

I would like someone to clarify my general doubts. Recently, search all over the internet about nostr. And I found several experiences or issues, which I will report here. I have a list of 15 questions regarding the nostr protocol. So, could someone help me? Could anyone answer any of these questions?

I will try to answer your question.

1. How can these issues be resolved?

   • The most interesting thing is to open the questions in a simple, general way. Opening specific issues are interesting as they can give you more feedback.

2. How can I prevent people from using my public key to get my contact information?

   • This is not a problem with the protocol itself, but with who uses it.

3. What are the pros and cons of nostr?

   • You can find information here: README.md

4. What are the advantages and the disadvantages of nostr?

   • You can find information here: README.md

5. Why can't I delete an event in nostr?

   • That was answered.

6. Why is it not possible to delete my messages or keys in nostr?

   • That was answered. Please, see this: Suggestions about deletion

7. Why some solutions in nostr don't allow to delete keys and messages?

   • That was answered.

8. How can I develop things in nostr?

   • That was answered. But please, see this nbd-wtf/nostr-tools, nostr-js

9. Where can I find things like sdk or toolkit to develop things in nostr?

   • There are sites or open source projects like: nostr.how, Nostr: Solucionando la censura de una vez por todas, nostr.guide, usenostr, nostr-ings.com/newbie-nostriches, nostr-ings.com which can clarify this technical question how to develop things in nostr.

10. Why do you all think it can be an alternative to Twitter, ActivityPub, SSB (Secure Scuttlebutt)?

    • You can find information here: README.md

11. Is this protocol secure? is it private?

    • Yes, yes,

12. What happens if I want to report content that I believe is wrong?

    • Please, see this: NIP 56: Reporting, README.md and micropagaments in nostr to avoid spam?, smart contract in nostr?

13. How can I report content that I believe is bad on nostr?

    • You can report the content. There is a NIP that makes this possible here. For example, NIP 56: Reporting

14. Why use nostr instead of IPFS?

    • "IPFS is not included as part of this spec due to its performance issues, unstable API, and de-facto reliance on centralized gateways. Still, if the creator of an event wanted to include the IPFS hash in an event, there's nothing in this spec that would stop him from doing that."
    • Nostr allows the network to be public, private, anonymous, temporary. To learn more about the network protocol, I suggest you see this link here: what is nostr?

15. What are the use cases where nostr cannot or should not be used?

    • If you will know all the use cases of the network protocol: nostr. Please, see this: aljazceru/awesome-nostr, nostr-ings.com/nostr-universe and what are the use cases of the nostr protocol?, Nostr-Clients-Features-List

[ghost]

"Number of relays: the document suggests there need only be a handful of relays for the protocol to be successful" "I think nostr needs many relays to be successful in censorship resistance. But, clients need to be super smart to find relays for pubkeys, and be efficient to avoid being banned by relays."

This is the security issue called "unique number of relays".

[JustusW]

How is a not freely licensed, privately owned, for profit protocol solving anything? You are selling stuff on nostr.com, you are intentionally rejecting safe and secure practices like RFCs, and standardization, you are not clear on the way your cryptographic scheme is ensuring safe key exchanges. This has been a major problem PGP had to solve and you simply ignore it.