Just to complete what brugeman said here.
When connecting with nip 46 there's a chance someone can pretend its the application you are trying to connect, but for this attack the attacker needs to know your relays and guess when you are connecting to an application
To mitigate this there's a use secret option, in amber it's off by default because at the time most applications didn't supported this
For native applications using nip 55 I use the package Id of the app so if someone wants to pretend it's an application like amethyst they can't, the only way to do this is making you uninstall amethyst and install the fake app.
I'm also not a security expert so it would be better if we had an audit
greenart7c3
npub1w4…d0jr5
2024-09-26 09:33:08
in reply to nevent1q…vkcz
Author Public Key
npub1w4uswmv6lu9yel005l3qgheysmr7tk9uvwluddznju3nuxalevvs2d0jr5Published at
2024-09-26 09:33:08Event JSON
{
"id": "ee444f6f33689b65b607e4e39047df736b2e8ae5c54ddb6676b5a7e295caf256",
"pubkey": "7579076d9aff0a4cfdefa7e2045f2486c7e5d8bc63bfc6b45397233e1bbfcb19",
"created_at": 1727343188,
"kind": 1,
"tags": [
[
"e",
"cbf076e853ccfdb3f4328db7be58ba1ecf57bed1de445df8b9bdb30b7ce5a607",
"",
"root"
],
[
"e",
"64e712a974186cd070df49f4b3c4c1860d249fd624c7e1d5ffc03ff902113f33"
],
[
"e",
"b0345f60d73284a9551406881ad0929a8d5bfc4309882ee77c9527c8afa716fa",
"",
"reply"
],
[
"p",
"4eb88310d6b4ed95c6d66a395b3d3cf559b85faec8f7691dafd405a92e055d6d"
],
[
"p",
"5729ad991a7e0cb88971ced2348758105790d51160a09b22d0d8f39ca762de11"
],
[
"p",
"3356de61b39647931ce8b2140b2bab837e0810c0ef515bbe92de0248040b8bdd"
]
],
"content": "Just to complete what brugeman said here.\n\nWhen connecting with nip 46 there's a chance someone can pretend its the application you are trying to connect, but for this attack the attacker needs to know your relays and guess when you are connecting to an application \nTo mitigate this there's a use secret option, in amber it's off by default because at the time most applications didn't supported this\n\nFor native applications using nip 55 I use the package Id of the app so if someone wants to pretend it's an application like amethyst they can't, the only way to do this is making you uninstall amethyst and install the fake app.\n\nI'm also not a security expert so it would be better if we had an audit",
"sig": "489d4fcb4f6616434783cb0b6938fdd59703b55518436629015de819256b40d8f0df38a8b7a86591dd76b3c4a1ca5d6aecaa11b06bb6e9ab7f97bf943b9178f6"
}