Nostr will fail to the extent that people can't tell an impersonator from the real thing. The number of reports I get about my impersonator indicates to me that nostr is failing. But it doesn't have to be this way! Web of trust fixes this.
Let's play a game of "spot the impersonator". I created a fresh impersonator account with a valid NIP 05 from nostrplebs and all the same profile data. I didn't bother to clone my notes or create a bunch of sock puppet followers, but that could easily be done, and would improve the resemblance.
Coracle:
Pretty good if I do say so myself. Social trust is shown in two separate ways: web of trust indicator and followers tab (although followers is not complete or sybil resistant).
0xchat:
Exactly the same, other than NIP 05 address, which I don't consider any sort of validation at all. This is a classic phishing maneuver, and recently allowed
@Shawn's impersonator to trick some people.
Yakihonne:
Some social indicators are shown, but are not sybil resistant. They're also down the page a bit, and might not be noticed by users.
Jumble:
No social proof indicated at all — the tabs at the bottom can easily be faked by the impersonator.
Nostter:
No social proof, and failed to validate the NIP 05 for the real user.
Nostrudel:
Nostrudel does something original in showing the public key color. But how often are you going to memorize a user's color? I'd argue this is even worse than nothing because it obscures the NIP 05, which _might_ tip you off.
Iris:
Iris shows wot-vetted "known followers", which is good. In other places, a wot-based check mark is shown next to user avatars. This should probably be added to the profile page too, but still, pretty good.
Amethyst:
Amethyst shows some social proof, but it's hard to tell exactly what those profile pictures mean.
Primal:
Like yakihonne, social proof is visible, but not sybil-resistant.
Let's take a look at search now. Some clients do a much better job at this, some do a MUCH worse job.
Coracle:
WOT indicators, correct sorting, complete results. Arguably, the impersonators should be filtered out entirely, but I personally prefer to have them included.
Jumble:
Same thing, minus WOT indicators. Not bad.
Nostrudel:
It's a pass, but I'm not sure if duplicates are filtered out on purpose or not. The check marks indicate NIP 05 validation, not wot validation.
Yakihonne:
Only shows the legit version, along with a badge (I'm unsure if it's NIP 05 or something else). Pretty good.
Iris:
Very limited results, WOT-based check, pretty good.
Primal:
Eliminates impersonators, show follower count, pretty good (though not sybil resistant in all cases).
The winners are Iris and Coracle for web of trust indicators, and Primal and Yakihonne in the "global view of the network" category. I'd love to see this get better though, and not just because I am now famous enough to have an impersonator. WOT calculations are low-hanging fruit, especially with the vertex DVM by
@Pip the WoT guy around. Getting this right is a core value proposition of nostr and is worth the effort.
Replies (95)
You have to follow yourself on Amethyst if you want the app to tell you which one is you.
That doesn't seem particularly helpful
The app is follow-based, not WoT based. Follows take the priority. Everybody else has the same weight.
While everyone else VibeCodes the ShinyNewThing, hodlbod delivers with a solid client.
Web of Trust was the only thing that worked consistently to defeat the recent wave of "porn reply spam." And AFAIK Coracle is the only client implementing this.
Another thing I would love to see *literally any other client* do: Lists of tags.
First time I'm hearing of an impersonator.
Throw in some local first verifiable credential checksum badges during client-server schema negotiation for a verifiable presentation exchange, and we can super lock this down! 🪪🔐🆔☑️
View quoted note →Shoot, completely my bad. It was someone with a lightning.engineering NIP 05 I saw yesterday. Thought for some reason it was you.
Ah, no. I pointed it out. 👌🏼
You're always talking about your users. Don't you care that your search does nothing at all to help them differentiate between real people and scammers?
Ah, that's what it was
do you consider that nostr started failing when you all implemented web of trust and new genuine accounts couldn't get any visibility then to come back around talk about retention? You shot yourselves in the foot with this shit. WoT is ass!
What? Most popular clients on nostr are not vibecoded
My estimation is that the norm will eventually be to hide absolutely everything outside of the web of trust by default, and show only optionally.
As a minimum posts should be ordered by wot.
Also, kind3 follows and 10k mutes are just the beginning. Communities will offer more reliable starting points.
Other nip51 stuff is also useful.
Context is key, and the general kind1 client use-case makes it hard to find that specific context where wot can be fine-tuned to user needs.
I've been wondering about this website of trust thing - how many indicators do you use? I ask because I was thinking, there's two people here regularly that I'd trust to validate my ID plus a couple of other people who are here occasionally. If my keys were compromised I know I can contact them externally to nostr and they'd be able to vouch for a new account. I don't know if they'd be useful or not more widely.
Thanks for following me
@ hodlbod! Couldn’t believe it at first, but the badges in
@Nostur by
@npub1n0st...lahe sure helped in distinguishing the real from the fake. It’s also neat that there’s an option for disabling them.
WoT scores should also take into consideration reports. Is this the case right now?
This is backward. Jumble has the best check because I can only see you, and not any impersonator, writing kind 01 posts to TheForest relay.
Anyone can just check by switching to a curated relay they trust and looking to see, if your post shows up.
Not on coracle, that would require downloading a ton more data. Not sure about vertex, they might have the resources to do that.
Ohh, those are badges. Interesting. Those also seem pretty easy to fake for a persistent attacker.
I am. But the search puts follows up top with a following icon in each picture to make sure they know what is real.
We will add Follows of Follows at some point. But that won't solve the issue since WoT can be gamed and based on how well people are keeping their relay lists, I doubt follow lists are super clean anyway.
Nostur has some good features for this, it helped me spot a Lyn Alden impersonator way back
That's a different thing, but also worth building. Real validation is a harder problem than preventing impersonation of popular accounts. Social key rotation is also the way to go IMO
If your wot calculation depends on no false positives, it won't work, sure. Set a threshold, incorporate mutes/reports, show a number, etc. Lots of ways to improve the most naive version.
Lots of ways to game the WoT score as well. Especially with leaked keys from real humans becoming very common. There will be a market for WoT keys that can be changed to impersonate somebody else.
They'll keep building bandaids on top of Follows until the cows come home.
And given enough vibe they'll forget what cows are too.
I mostly use noStrudel, and I never paid any attention to the public key color. However, when considering adding an nPub to follow, I do pay attention to how many it is followed by who I also already follow. This is the information 1 line down from where your screenshot cuts it off. For example, it tells me that your legit nPub is followed by 83 who I also already follow... that seems pretty good to me.
You can take the dev out of Twitter, but you apparently can't take the Twitter out of the dev.
Unfortunately for now this is not a solution. There is no proper filtered relays and you always trade off new users.
Why are people impersonating you. Are you important or something?
I finally made it
I missed that, apologies to
@hzrd149Damus?
I don't have an iphone so I don't know
Yes, everything can be gamed, in theory. In practise the game can also be cheap to play for the defender, and expensive for the attacker. The game also does not have to be static.
I don't need a solution for all of Nostr. We have our own relays and our own NIP-05s, and the rest is someone else's problem.
What do all the symbols mean?
:scoresoccer:
@Nostur has some really good wot indicators
I forgot I added that last update... I should put that more front and center when I redesign the profile page
The blue dot (and also the walking man) mean I follow you. Why two things? I dunno, the walking man came first, and the blue dot was added by the UI team without removing the walking man.
The star means more than 99 people that I follow follow you, so it doesn't fit within 2 digits. Otherwise it would be a number like 56 or whatever.
Knowing what it means I like it
Wow, I have infinite volgers, cool! The negative flag is really nice, how are you calculating that
@npub1n0st...lahe? I'd be afraid of false positives.
it adds the label if both the following is true:
- you are not following the contact
- it has a 80% similar name and profile picture as someone you already follow
Nostur is just the best Nostr app on iOS
In gossip I only follow one hodlbod, this one, so I'm pretty confident 'tis the one. Mike Dilger's star is 27 for me.
I'm not sure that is a good idea, the impersonators could mass report the real one
If someone with a large following that I haven't talked to before tries talking to me I just assume scam. It's worked for me on traditional social.
That's a simple and effective strategy.
so are you the real one or not?
LOL. Going to start impersonating myself for the CLOUT!!!
View quoted note →Very good breakdown, thanks for the POW !
I'm the fake
trust nobody. read carefully. don't touch links or media in DMs from strangers. ask nostr community if there's suspicious behavior from OG or kinda "celebrity"
In a web of trust, no one follows the impersonator. So his mass reports have no value. Same discourse for any sybil network. Only trusted (followed) people contribute to a WoT score.
how can i verify that?
Client devs, if you don't want to reinvent the wheel when it comes to something so crucial as protecting your users from impersonators, you can just use
@Vertex DVM's.
WoT then becomes as simple as publishing an event.
To see how it would work, you can check npub.world. Just keep in mind that it will become even faster after the refactor is complete.
No need to commit straight away, you can test it for free. Learn how at vertexlab.io
(thanks Jon for the shout-out)
View quoted note →yes I'd vouch for you any time of the day for pretty much anything
I don't think that there will be ever a perfect solution for this. Not WoT, not recommended follows, not starter follower packs etc etc. It's pretty much like the "blue tick" issue on X where you'll find plenty of scammers taking advantage of appearing legit because of a ☑️ behind their name.
The only thing that works is common sense and thinking for yourself when it comes to following people.
we are close, but it looks like very soon that humans will not be able to trust digital data and information... too easy for ai to create fake and untrue realities.
Only on Nostr are the developers popular enough to have impostors. 😂
hodlbod
Nostr will fail to the extent that people can't tell an impersonator from the real thing. The number of reports I get about my impersonator indicates to me that nostr is failing. But it doesn't have to be this way! Web of trust fixes this.
Let's play a game of "spot the impersonator". I created a fresh impersonator account with a valid NIP 05 from nostrplebs and all the same profile data. I didn't bother to clone my notes or create a bunch of sock puppet followers, but that could easily be done, and would improve the resemblance.
Coracle:
Pretty good if I do say so myself. Social trust is shown in two separate ways: web of trust indicator and followers tab (although followers is not complete or sybil resistant).
0xchat:
Exactly the same, other than NIP 05 address, which I don't consider any sort of validation at all. This is a classic phishing maneuver, and recently allowed
@Shawn's impersonator to trick some people.
Yakihonne:
Some social indicators are shown, but are not sybil resistant. They're also down the page a bit, and might not be noticed by users.
Jumble:
No social proof indicated at all — the tabs at the bottom can easily be faked by the impersonator.
Nostter:
No social proof, and failed to validate the NIP 05 for the real user.
Nostrudel:
Nostrudel does something original in showing the public key color. But how often are you going to memorize a user's color? I'd argue this is even worse than nothing because it obscures the NIP 05, which _might_ tip you off.
Iris:
Iris shows wot-vetted "known followers", which is good. In other places, a wot-based check mark is shown next to user avatars. This should probably be added to the profile page too, but still, pretty good.
Amethyst:
Amethyst shows some social proof, but it's hard to tell exactly what those profile pictures mean.
Primal:
Like yakihonne, social proof is visible, but not sybil-resistant.
Let's take a look at search now. Some clients do a much better job at this, some do a MUCH worse job.
Coracle:
WOT indicators, correct sorting, complete results. Arguably, the impersonators should be filtered out entirely, but I personally prefer to have them included.
Jumble:
Same thing, minus WOT indicators. Not bad.
Nostrudel:
It's a pass, but I'm not sure if duplicates are filtered out on purpose or not. The check marks indicate NIP 05 validation, not wot validation.
Yakihonne:
Only shows the legit version, along with a badge (I'm unsure if it's NIP 05 or something else). Pretty good.
Iris:
Very limited results, WOT-based check, pretty good.
Primal:
Eliminates impersonators, show follower count, pretty good (though not sybil resistant in all cases).
The winners are Iris and Coracle for web of trust indicators, and Primal and Yakihonne in the "global view of the network" category. I'd love to see this get better though, and not just because I am now famous enough to have an impersonator. WOT calculations are low-hanging fruit, especially with the vertex DVM by
@Pip the WoT guy around. Getting this right is a core value proposition of nostr and is worth the effort.
No
Yes, which is one reason why we need wot
Sure, but also design matters. Wot isn't a panacea, I'll give you that
just have a look at the followers and see 0
that's it!
ever4st
What has your experience been like with #nostr?
#nostrfamily #plebchain #humor #nostrich
View quoted note →
Honestly, I think Nostr needs some work at the protocol level for this. IMHO, we should embrace Self-sovereign identity (SSI). There isn't much standardization in that field but we could be pushing the envelop and be a catalyst for larger change.
What do you think about DIDs?
Not really. That's
@ hodlbod 's point about follower counts not being sybil-resistant. A determined scammer could spin up thousands of npubs and have them follow their impersonator account. Then the follower count doesn't help you determine which one is real at all.
A good heuristic
Implemented reports as part of the trust score on noswot. It works great, but doesn't scale to client side. Perhaps a sampling approach can be good enough.
No solutions, only tradeoffs? h/t
@Gigi
You're right, of course. That said, the more tools to help us out, such as WoT, the better equipped we will be to identify likely impostors. More red-flags to hopefully engage our common sense, which often decides to take a nap.
Generally a good rule of thumb.
But that's assuming that it is always the scammer who will be trying to reach out to you.
Scammers also get some hits from users who are looking for the legit profile and end up finding their fake instead. Or they find both the real and fake profile, but they don't know which is real, so they follow both.
Let's push the envelope!
True, but it's not terribly helpful if you are searching for a profile of someone you don't already follow.
Damus could be better, could be worse.
When I searched for "hodlbod" his profile was not returned at all in the top results, even though I follow him:
I had to scroll WAY down before finding the first profile with that name:
Aaaaaand it was an impostor:
But, when I go to the correct
@ hodlbod profile, I see that other people I am following also follow him:
Sadly, there's no real indication on the fake profile that it is probably a fake, unless a user already knows what to look for, such as lack of NIP-05 (though scammers are starting to add NIP-05s, too), and no indication that anyone I am following also follows them.
Maybe a warning should show up: "Not followed by anyone you follow."
New accounts have ALWAYS had trouble getting visibility, even before WoT.
Why? Because no one uses Global feeds. They only see posts from those they follow in their home feed. As a result, when new users come to Nostr, they post a few times, get next to no engagement, and leave. That has always been the case.
WoT is a very useful tool, though, when searching for a specific account, and you don't want to end up getting shown a fake. It's also useful for combating spam. Yes, this does create another hurdle for new users to get over before they can get any traction here, but frankly new users are more likely to be spammers than established users, too. No matter what spam mitigation method we use, it is going to adversely affect new users more than others.
I’m still learning about nostr, but you raise valid points.
Is there a way the account creation date can be factored in? If it was created months before others who are trying to impersonate it, it might be a telling metric
Agree on that. Also Nostr doesn't really have any buzz, and buzz is what attracts genuine new users. If you don't have buzz and you're getting new users then a super high percentage of them won't be genuine—just a law of nature.
So in the absense of buzz, worries about the new user experience are kinda moot.
Coracle is not the only client, but it is one of the few and I think it was the first. WoT has been part of Coracle since before the replyguy spam attack last August. Then
@utxo the webmaster 🧑💻 released his WoT relay in response to that attack.
I also like how Jumble has implemented WoT just for interactions, but not for original posts. This allows for still seeing every OP in a relay feed, while filtering out reply spam. Then, if you are seeing a bunch of OP spam, you know you should choose a different relay. 😂
😅
Only if we use NIP 13, but that's not a bad idea
@jb55 might be banned by China, but I'm banned by Damus
looks like we just need to trim whitespace when building the index
It is a lot of work, most stackers won't do it.
that seems like a lot of effort, though
read this notes
there's a space in front of his name, try searching " hodlbod", yeah not ideal. we'll fix
lol! Really
@ hodlbod ? Why the space?
And yes, he is the top result when I add the space...
Doing it manually? Yes. But who says it needs to be done manually?
It wouldn't take much to write a program that could generate a few thousand Nostr accounts and create kind 3 notes following several legit accounts along with following each other.
I keep fixing it and it keeps coming back
===========================
#2 🔥 Community Highlights
===========================
1. Subscribe
@rabble on YouTube, and you will be able to see an amazing conversation with
@jack soon
View quoted note →
2.
@npub1220s...ncsh at
@BTC Prague
View quoted note →
3. A Great work of a bunch of Devs on Nostr
View quoted note →
4. Web of Trust fixes the confusion of impersonators
View quoted note →
5. A Cal alternative on Nostr is on fire very soon
View quoted note →
6. The Web of Trust is very important
View quoted note →
7. The new wave of
@npub10pen...n34f Nostr Grants
View quoted note →
8. It is not easy to onboard friends on Nostr
View quoted note →
9. A lady pleb is gonna force her friend to use Nostr
View quoted note →
10. Decentralization is always very cool
View quoted note →
11. Americans and Indians on Freedom of speech
View quoted note →
12. This is why we need Freedom of speech
View quoted note →
#community_nostr_recap
I will post a picture of myself without a shoe on my head
