The internet and its various communications mediums, be that email, social media or instant messaging, has lowered the barrier to accessing eyeballs. Today if you have someone’s contact information, it’s very easy to get a hold of them or, worse, spam that user to no end.
Having email centralised through ISPs or services like Gmail, having instant messaging and social media run by centralised companies, it’s their job to keep their service spam free or low enough to make it tolerable.
However, the fight against spam is not a plug-and-play solution; it’s a constant battle. Since it’s pretty trivial to spin up a bunch of email boxes and a bunch of social media accounts, you can always start up a new spam operation in a short space of time. It’s a practice that will never go away because it’s so cheap to do, and even if a small percentage of people fall for spam emails, posts, accounts and links, it can be wildly profitable for the spammer or the person paying the spammer.
While centralised companies have their hands full cleaning up and blocking spam, decentralised protocols will have to deal with spam, too, especially as they grow. The larger the user base for Nostr, the more valuable spamming users on the network becomes to reach some of those users.
Creating a decentralised social media and communications protocol requires making certain trade-offs and design decisions. Since you don’t have the safeguards of a centralised entity that can manage spam through different choke points, you need to create filters for relays and users.
What is a NIP?
A NIP is a Nostr Improvement Proposal; these are basically tech specs that are proposed as upgrades for the Nostr protocol.
What is NIP-05?
NIP-05 is a verification method for your Nostr account across all clients. Think of it as the blue checkmark on Twitter or Instagram, but instead of meeting Twitter and later Instagram’s requirements to be verified, you can simply do it yourself, and Nostr clients will respect it.
To get your account NIP verified, you will need a:
- Nostr public key
- A web server – Hosting and domain
- The ability to set a static file on your domain
Once you’ve created a public key, create a JSON text file with your name and public key in it
{
"names": {
"<name>": "<pubkey>"
}
}An example would be
{
"names": {
"<The_Bitcoin_Manual>": "<7ecd3fe6353ec4c53672793e81445c2a319ccf0a298a91d77adcfa386b52f30d>"
}
}
Note:
- Please remove the <> as shown in the placeholder above
- Some clients may not recognise your public key as used above and you may have to use your npub key instead
Save the file and leave it on your desktop.
- Now head over to your domain and use either the hosting provider’s file management tool or an FTP tool to access your server.
- Dump the file on the path domain.com
/.well-known/nostr.json?name=<local-part> - Now head over to your Nostr client, find the NIP-05 field in your profile setting, enter the name you chose and click verify.
Once your Nostr account is verified, your client of choice should display a checkmark symbol of some kind next to your chosen handle.
If you want More information on NIP-05, check out the following resources
- GitHub – https://github.com/nostr-protocol/nips/blob/master/05.md
- GitHub – https://gist.github.com/metasikander/609a538e6a03b2f67e5c8de625baed3e
Nostr community verification
If you don’t have a domain of your own but still want to verify your account, you can reach out to a couple of community projects that have emerged where a Nostr account user will update their domain with your chosen handle and public key and vouch for you.
You can reach out to one of the following projects, and they will help you with verification via their owned domain.
- Rogue.Earth
- Nostrplebs
- nostrverified.com
- getalby.com
- nostr.directory
- Bitcoin Jungle
- Bitcoin Nostr
- nip05.nostr.band
- nostr.com.au
- Vida.page
- Stacker.news
- Nostrcheck.me
- easynostr.com
- getcurrent.io
What is the point of NIP-05?
It’s a (best-effort decentralised) trust-minimised verification system. It proves that either you own the domain name you used or that the domain owner allowed you to register there. Domain names cost money and time to set up. If someone uses a domain or a class of free domains to set up bots, those can be blocked by relays and clients.
Relays can use it to enforce their policies (e.g. combat spam), prioritise NIP-05 verified identities, etc Clients can show checkmarks on verified accounts and set their own content filtering policies.
In addition, certain relays could whitelist NIP-05 verified accounts and only allow these accounts to post onto their relay.
Improving client search
A client can use NIP-05 verification status to allow users to search other profiles. If a client has a search box, a user may be able to type “bob@example.com” or add a domain as a filter to their search and the client would recognise that and do the proper queries to obtain a pubkey and suggest that to the user.
Nostr directories
Another use of NIP-05 verification tags is with account directories where you can search for fellow Nostr users so that someone might have the same or similar username, but you can differentiate yourself through the NIP-05 verification method you’ve chosen so people who wish to follow you or contact can find the right account.
NIP Verification isn’t foolproof
Despite the benefits of NIP-05 verification, it doesn’t mean that spammers cannot find their way through this system; it’s only there to make their life a little harder. We’ve already seen how poorly people manage their private keys in the bitcoin and altcoin space, and that should tell you something since those keys manage money.
It would stand to reason that private and public keys that only manage text would carry even less weight when it comes to taking safety precautions, and people WILL dox their private key.
- They’ll save it on a computer of the phone that they’ve lost or sold
- They’ll log in to the browser on a device that’s not there
- They’ll use free WiFi and expose their keys
- They’ll post their private keys online
- They’ll store it in a cloud storage service that leaks
- They’ll store it in an email or send it via email or text message
- And the list goes on
If someone’s private key is compromised, even though it is verified means nothing; the spammer now has access to the account and can do what they want with it, enter relays they couldn’t previously and try to perform malicious attacks knowing their access is temporary.
Domains can be compromised.
Websites get hacked all the time, and while hosting providers do their utmost to ensure that these hacks are kept to a minimum, it is a possibility. If a domain is hacked and a hacker could inject an updated JSON-LD file with their spam keys in it, they could get a bunch of their spam accounts verified and gain access to certain relays.
Relays could blacklist this domain’s verification should they realise it is compromised, but this is a reactive measure, not a proactive measure, and in between blacklisting, the damage could already have been done.
Do your own research.
If you’d like to try out Nostr or want to learn more about it, we recommend checking out the following resources to kickstart your research.
Are you on Nostr?
If you are a Nostr user and want to hang out and chat with us or follow our content on your preferred Nostr front end, feel free to add us using the PubKey below.
7ecd3fe6353ec4c53672793e81445c2a319ccf0a298a91d77adcfa386b52f30d
The Bitcoin Manual’s Nostr Pubkey
