Safety Practices on Using Nostr

More and more people started using Nostr, but not many people talk about how to use it safely—Nostr is not the social media we used to use, not something you can DELETE and pretend nothing happened.

Nostr: A simple, open protocol that enables a truly censorship-resistant and global social network.

Nostr is indeed a good tool against censorship, but it also comes at a price if you don't know what you're doing, and I'm going to share some of the safety practices that I've learned to help you stay safe in this Wild West.

How to Create a Nostr Account

1. Ideally, use Alby or Nos2x to load your keys instead of from any Nostr clients.
2. Save the key somewhere safe,  e.g. using offline password manager keepassxc, and always have a backup.
3. Choose any Nostr client you like to log in to.

For Desktop

• Primal: fast - I use this as my main client.
• Snort: clean UI but quite slow - I use it as a backup when Primal is down or fail to load.
• Iris: average speed and average UI.

For Phone

• iOS: you can use Damus or Nostur -  I like to use Nostur, but I normally use it for reading mode only.
• Android: you can use Amethyst.

How to Find Interesting People or Content

Due to no algorithm in Nostr, it can be quite empty on your homepage if you don't know how or where to find interesting things, but there is one good tool to check notes or any activities: https://nostr.band/

For example,

• see all the current popular notes https://nostr.band/trending/posts
• see all the current trending users https://nostr.band/trending/profiles

A good hack is once you find some interesting accounts, then you look at what they are following.

How to Receive Zaps

There are many LN addresses you can link to Nostr, and I tested with different ones before, sharing two of my favorites here:

LNtip bot

This one is what I used to use - a simple LN address that you can easily create as long as you have a telegram account:

Features

• simple use
• got notifications
• private comments available

Downsides

• custodial wallet
• need to use telegram for it
• not much privacy

Hacks

If you would like to be more private, you can use sms4sats to sign up for a fresh telegram and then create an LN address with it instead of using your personal account.

npub.cash

Another one of my favorites is the new kid in town: Cashu address. I've been using it for about one month now, and it's good for those who are up for more privacy or just being adventurous:

Warning: it's new, don't be too reckless using too large funds with it.

Features

• private by default
• no sign-up
• automatically Nostr DM notification

Downside

• custodial wallet
• needs to redeem the sats manually

Hacks

The way how I use it is once the accumulated zaps reach certain amounts, then I usually choose Lightning to redeem it, and it will overcharge you some fee at first - all you need to do is paste a Lightning Invoice, and then you claim the leftover with any cashu wallets, e.g. enuts. ( you can either redeem the sats over Cashu or Lightning. )

And anyone can have it, yours is <yournpub>@npub.cash, but if you want to have a human-readable address, you can get one with 5k sats; And you even have an extra payment page that you can link to your own social or sites.

How to Verify NIP-05

NIP-05 is how you can have the purple tick in Nostr, it means verified, and there are different ways to verify it.

If you own any site(s), you can link to your Nostr account.

Step 1. Create a JSON text file in your domain

{
   "names": {
        "<username>": "<hex-public-key>"
   }
}

You can use this tool to get the hex of your public key and one more tip: if you want to leave the user name blank, then use"_",  the veirfy address would then simply be yourdomaindotcom instead of username@yourdomaindotcom.

Step 2. Enable CORS - enable the 'GET' and 'head' ( important step! )

Then you can use this tool to check if it's set up well.

Step 3. Link the LN address to your Nostr

Put username@yourdomaindotcom or yourdomaindotcom into your Nostr setting, done.

I set this up before, but later I found out that it's actually better not to stand out so much in the crowd, especially in the Wild West.

If you don't have any sites, you can link your SN LN address as NIP-5 verification in Nostr.

Simply go to SN settings—Nostr—NIP-5, put your Nostr public key into the public key section, then go back to Nostr and put your SN LN address into the NIP-5 area, done.

Or getting verified through a service.

https://bitcoinnostr.com/

https://nostrplebs.com/

And many others, but I don't see any point in using them; okay, you can get the purple tick and an address so others can easily search you instead of using the long string, but seriously, linking to your POW makes more sense than buying a verification.

Safety Practices

- Always use a VPN

Nostr uses relays to communicate between Nostr clients, which exposes your IP address, meaning the relay operator can easily access your locations, but using a VPN can solve this problem.

- Use an extension to log

Use Alby or Nos2x to log in, and avoid copying and pasting your private key into any sites.

- Follow and engage wisely

Anyone can log in with your public key and see what you follow and engage with. Every like, comment, zap, and note is permanent and PUBLIC.

- Avoid using DMs

The messages are encrypted, but the metadata, who you talked to, when, or small details like who initiated the conversation, how enthusiastic you were in the conversations or unwanted spam, and what time range you were online to reply (which potentially tells the time zone, etc) can be viewed by ANYONE.

- Only use trusted relays

Your notes could be nuked, but I haven't paid too much attention to this; However, here is one handy backup tool for it: nostrsync.

- The Art of Sharing

It's basically the same practice for using any social media, but always think TWICE before posting anything, and avoid posting anything too personal because you CAN'T delete it in Nostr.

• For photos

Better remove metadata before uploading, especially the location.

• For articles

Avoid posting directly. Ideally, post the links controlled by you instead then you can always trash the link whenever you feel like it.

• Delay sharing

Avoid sharing anything in real-time, such as your current location; for example, I usually share things after I leave the place.

• Cross post from SN to Nostr

Crossposting is quite handy for creators, but do remember that you can't delete anything in Nostr. I don't use this crossposting myself, I rather share a link in Nostr and from links that I can control—not only can I edit my content anytime, but I also have the freedom to trash the links whenever I feel like it!

However, for those who would like to use it, go to settings, enable crosspost to Nostr, and done; also, it only shows up on platforms like habla.news instead of directly showing up in your feed.

Final Words

Don't be so serious about the number games like in other social media because most of them are incorrect, and there are many bots there - better care less about numbers and cheap likes, but how many people actually trust you and willing to vote with sats.

Also, there is no privacy online - using Nostr can be a good training on learning about what's public and private - freedom comes with responsibility and think twice before you share anything there.

Have fun Nostring! 💜