nexusurl.store nexus onion notebook
Habit

Two checks before I type a Nexus password

Both take under a minute and both have caught something for me at least once. If you only pick one, the captcha match is the faster one, and it is what stops most attempts. The PGP path is what makes the captcha check trustworthy in the first place.

01The captcha match

When you land on the Nexus login, there is a captcha image between you and the password field. Somewhere inside that image, the operator paints the current onion address. Read those letters. Compare them to what is in your URL bar. If both strings match, character for character, you are on a mirror the operator wanted you to be on. If they do not, close the tab.

This works because a phishing clone cannot easily regenerate a fresh captcha with the fake onion painted into it in real time. Most clones bake one static image and never touch it. The address inside their captcha stays the real one even while the URL bar shows the fake one, which is exactly what the check catches.

02The PGP verification, once per rotation

Every time the primary onion moves, the operator publishes a signed message with the new address. You verify that signature against the operator's public key. If it validates, the new address is trustworthy, and you save it. If it does not, the message is fake and the address inside is worthless.

Concrete steps.

  1. Save the operator public key into a file called nexus.asc. Import once with gpg --import nexus.asc.
  2. Save the signed announcement into rotation.txt. Include the whole envelope from BEGIN PGP SIGNED MESSAGE to END PGP SIGNATURE.
  3. Run gpg --verify rotation.txt. You want a line that says Good signature.
  4. Compare the onion inside the message to what you were about to bookmark. Match wins, mismatch means the address does not belong on any list.
once, then never again

You import the operator key one time. After that, every future rotation gets verified against the key already in your ring. No forum, no directory and no chat handle can force a fake address on you once you have the key on file.