# Nostr Discovery – Security & Data Exposure ## If Someone Saw the Published Data The Nostr discovery feature previously published node identity (DID, Tor onion address, version) to public relays. If someone saw that data, here’s what they could have and how to respond. ### What Could Have Been Seen 1. **Relay operators** (relay.damus.io, relay.nostr.info): - Your server’s **IP address** when it connected to publish - The **Tor onion address** you advertised - **Timing** of when you published 2. **Anyone querying Nostr** for archipelago nodes: - Your **Tor onion address** (designed to be shareable) - Your **DID** (public identifier) - **Software version** ### Mitigations | Exposure | Mitigation | |----------|------------| | **IP address** | Cannot be undone. If relay operators logged it, they still have it. Consider: moving to a new IP, using a VPN for future traffic, or treating the server as potentially identified. | | **Tor onion** | The revocation overwrites the Nostr event so new clients won’t see it. If someone cached the onion, they can still reach the node. To invalidate it: **rotate the Tor hidden service** (new onion, old one stops working). | | **DID** | Public by design; no mitigation needed. | | **Version** | Update to a newer version; old version info becomes less useful over time. | ### Rotating the Tor Hidden Service (New Onion) To invalidate an exposed onion address: 1. Stop the Tor container. 2. Remove the hidden service directory: `rm -rf /var/lib/archipelago/tor/hidden_service_archipelago` 3. Restart the Tor container so it creates a new onion. 4. Update any peers or links that used the old onion. ### Current Protections (Post-Fix) - **Revocation**: On startup, the backend publishes a replacement Nostr event with empty content, so normal discovery no longer shows your node. - **Tor proxy**: Nostr traffic uses Tor (127.0.0.1:9050) so relay operators no longer see your IP. - **Opt-in defaults**: Discovery is on by default but only uses configured relays and routes through Tor.