Simplified Privacy

Nostr’s Most Secure Client, Interview w/ Gossip’s Mike Dilger

Our interview with Mike Dilger, lead Dev of the Nostr Client Gossip…

Simplified Privacy:

What makes Gossip unique? I believe you were telling me a few months ago about your method of fetching messages from servers, that has influenced other Nostr client developers to incorporate Gossip’s model.

Mike:

The gossip client started out with the goal of following people not relays. Since you can’t control which relays other people use, it was immediately apparent to me, that gossip couldn’t connect to a fixed set of relays. Instead, it had to discover what relays the followed people were posting to and fetch their events from those relays. Solving that problem meant to me, finding out not only what relays people use, but also how to connect to those relays judiciously. And that was the first big thing I did when coding gossip back in December 2022, before anybody was using it yet.

Since then, at the protocol level, NIP-65 defined a way for people to disclose which relays they use.

[Editor’s Note: Mike wrote NIP-65, so his client influenced the entire protocol]

Gossip still uses it’s bag of tricks to collect that information, but NIP-65 events (such as those labeled “10002”) are the best tool in that bag now. The events labeled 10002 get the person’s relay list, and a lot of other Nostr clients are now using this relay usage model. In fact, it’s even been called the “gossip model” or the “inbox/outbox model”. This model solves what I call the “relay rendezvous” problem, which is basically just the question of how do you choose and use relays, such that messages from person A get to person B.

What differentiates this model from others is that it is fully decentralized, there is no need for relays to copy events between each other, and clients don’t strictly need a proxy (although low-powered clients might benefit from one). It is also the most straightforward and natural solution to the relay rendezvous problem.

Gossip is unique for some other reasons too. We don’t store the private key in raw form, we encrypt it under a passphrase and clear memory before it is released to wipe secrets like keys and passphrases.

Also, gossip is a desktop client whereas most other clients use web technology. So we don’t suffer from security issues in the gigantic web stack unless they are very fundamental (like PNG decoder issues). And I think being written in the rust language makes it less buggy and more secure too.

Simplified Privacy:

What features can people be on the lookout for in the next versions?

Mike:

The following are already on master and will be released in version 0.10:

1. Autoselect which relays to advertise your relay list to

2. Load more at the bottom of feeds (time based, not count based, but we may switch that around)

3. Only accept notes from people you follow-on relays you didn’t designate as “spam safe” (optional)

We are also hoping to get some of the following done:

1. Bookmarks (pin events for yourself)

2. Person-list encryption to use new nip-44 standard

3. Retry posting of events that failed to post to some relays when initially posted.

4. Alerts about pending actions (e.g.: you haven’t advertised your relay list in a while, or this post didn’t to all relays maybe try again, or your follow list has changed, and you should consider pushing the updated list)

5. Relay whitelisting for both connecting and authenticating (optional)

6. Giftwrap DM support complete (you can receive them now, but DMs are still generated using NIP-04)

7. Search at relay (current search is only in the local database)

8. NIP-46 connect in both directions

That list has gotten longer and it is too much for one release, so it won’t be all of that.

Simplified Privacy:

Ah, great to hear a search at relay is coming. This is where you pick a group of relays to search for a particular user? Or to check the messages of a user on the relay for a particular phase? Also, I’m glad you mentioned the giftwrapped DMs. On Gossip’s DM tab, it warns users that Nostr DMs are not safe. What are the current flaws that people are vulnerable to?

Mike:

For search at relay, yes you will pick a relay probably from a dropdown or something like that. It will use the search filter field defined in NIP-50 which searches content. We will display whatever events come back in a list.

Current DMs using NIP-04 have a couple of weaknesses. We don’t know how to crack it, but there might be an attack that gets at the shared key from the two public keys and a lot of ciphertext, or with a plaintext-ciphertext oracle. The algorithm also exposes the length of the message, and DM metadata is available for everybody to see. You and I are using this right now, and while the world cannot see our messages, they can see that we are talking, when each message was sent, and how long each message was.

The new NIP-44 uses an algorithm that has just been audited for security that includes things like obfuscating the exact message length without being wasteful. The new giftwrap DM scheme uses NIP-44 for encryption, and it also hides metadata about who sent the message, it hides precisely when the message was sent it, and it maintains deniability (your communication partner can blab to the world, but what they blab would not be signed by you). So all the world would see is that you got a DM at some time in the last week of some approximate length, but they don’t know who sent it.

Now the relay you sent it through can harvest a bit more metadata than that. If the relay AUTHs you, it knows you are the sender and it can correlate this fact with the event which shows the recipient. Even if it doesn’t AUTH you it probably knows your IP address. But since the relay you will use is the DM relay of the recipient, and since you must be trusting the recipient with the message anyways, trusting their DM relay isn’t too much of a further step. Nonetheless, people should be aware of this and if they need even better privacy other solutions will have to be invented like mixnets.

Simplified Privacy:

Gotcha, yeah Session is similar to what you just described, where it’s onion routed to the recipient’s relay. Obviously Nostr evolves quickly, and none of us really know how it will influence society. Or what form it will take. But big picture, where do you see Gossip going in the future? In the sense that, do you think Nostr will remain primarily a decentralized Twitter or go beyond that?

Mike:

I don’t have big plans for gossip breaking into new ideas. I just want it to keep up and be rock solid. There are more features I want to get around to eventually beyond the 0.10 milestone ones that already have NIPs defined and are in use by other clients. But I don’t expect an ever growing technology. I hope it settles down and stays relatively simple.

As for Nostr I feel the same way. I don’t want it to become gigantic like the web stack. I don’t think everything has to be built on top of Nostr. I was even against DMs being built on top of Nostr, but I’m okay with it now. This search for the next big thing on top of Nostr is understandable among an entrepreneurial crowd, but I don’t think there will be very many winners. But don’t let me be a wet blanket on exploring new ideas – right now we are in that phase were we need to explore ideas. I’m just saying that I hope Nostr doesn’t become thousands of things that every client has to implement. There will be new things that fit very well into what Nostr is that couldn’t be done so easily before hand. But most of the proposals on the NIP repository are things gossip will never implement. Some of them are great ideas but don’t really benefit from being on top of Nostr and should probably be done independently of Nostr.

I think some of the best things to be built on top of Nostr will come much later. We can’t easily predict what they will be. But there is no rush.

I wish people would instead think more about solving the problems that have no good solutions, like key management or replaceable events getting clobbered. Or even onboarding experiences. Or just making clients more robust.

Simplified Privacy:

Fair enough. I wanted to ask you about a current feature of Gossip, which is the Proof of Work. So if I submit a message, it adds by default 22 bits of PoW. Is this like Bitcoin’s PoW, to prevent spam? Like showing the relays you’re serious?

Mike:

Yeah exactly. It takes effort to generate a message with PoW. A spammer can’t generate them nearly as fast as events without PoW, so relays don’t get flooded with spam that they need to classify as quickly. I don’t know if relays take PoW into consideration, or how many do, or under what circumstances. I think it could be used more. Some of the reasons for PoW are now handled with AUTH. If the relay trusts you, it doesn’t need you to do work to prove anything.

But at least one remaining case can’t be AUTHed, and that is giftwrap. Giftwraps are authored by an ephemeral keypair that was never seen before and will never be seen since. So PoW makes sense in that case.

Funny thing, long ago when I implemented PoW it was because somebody posted “Relays are going to start requiring proof of work” and I took it seriously, but the poster was just making a bold prediction. I thought “oh shit, this is imminent, I’d better implement this so I can stay on Nostr.”

Simplified Privacy:

That’s a great point on PoW DMs, Gossip is positioned to be in a good place to handle that issue. Will cellphones be unable to do the PoW? I don’t imagine many users looking to wait 40 seconds to send a text.

Mike:

Yes, cellphones will be at a disadvantage when it comes to PoW. But this is only for giftwrap DMs. The PoW doesn’t have to be super high.

If there is a better solution everybody is listening. I’ve heard other solutions but not better solutions. Client proxies may have a role to play.

Simplified Privacy:

So making an open source client is a massive time commitment on your part.

What motivates you to make this?

Mike:

I see civil society falling apart because a generation of people failed to recognize the value of conversation, argumentation, discourse, and the freedom to speak about and defend any position, offensive or not. I see good ideas being silenced and then institutions making very bad decisions because they didn’t hear the good idea enough for it to sink in and change their view. So I have felt that the fate of Western society if not the whole world was in our hands. It seems to me the West is an empire in decline, and I want to preserve at least part of what was good about it. Never in my life has something so important fallen into my lap, and I feel responsible to the future of humanity to get this right.

I recognized that twitter as a company can never be a free speech platform. It was obvious we were going to have to fix this problem from the ground up. And when I found fiatjaf’s idea that came at the problem from the right angle I had to go with it.

So I was very motivated in late 2022, I programmed faster than I ever had.

But now Nostr basically works. Sure there is a lot to be improved, but the primary problem is solved. We did it. We won. The most important part of this has been achieved. Now the flame of online free speech can not be extinguished. Even if the remaining problems remain forever, the main thing that motivated me has been achieved.

So my motivation now comes from annoyances. Something bugs me and I want to fix it. Or someone bugs me about something and I want to fix it for them. Or something seems challenging and I enjoy challenges. And I’m also motivated by a paycheck from OpenSats – I have a grant from them. I don’t want to let them down.

Simplified Privacy:

That’s inspiring. Myself and the rest of the team are grateful for your efforts, it enables us to reach all these people and improve their lives. Let’s wrap this up, do you have any final points you’d like to get across to potential Gossip users or regular current ones?

Mike:

Sure. There are lots of clients. Gossip isn’t for everyone. But if you are mostly concerned with privacy and security, and you have a desktop to run it on, I think gossip is a good choice.

Also, any rust programmers out there that want to help out are welcome. As long as you don’t write huge PRs that are too hard for me to understand, I’ll merge in any good work. And if you get three or more commits of any significance you can then add yourself to the authors and I’ll merge that too. This is and always will be open source, and that means gossip is everybody’s project.

And I should probably throw a shout out to Daniele Tonon and Bu5hm4nn who have put in significant work on the user interface and user experience. Without them I’d be bogged down in stuff I’m not good at and gossip would still be ugly.

You can find the Gossip Client here:

https://github.com/mikedilger/gossip

Mike’s Nostr Public key:
npub1acg6thl5psv62405rljzkj8spesceyfz2c32udakc2ak0dmvfeyse9p35c

Related Articles