How does proving your private key to a third party browser extension improve security?
welcome to nostr… its been a day and a lot of y’all have experienced damus, but did you know that is only one client? But when it’s time to set out and experience nostr in a browser, it’s important to protect your keys… so be sure to use a “nip 07” browser extension to visit as many nostr sites as you please with little concern.
On chrome:
https://chrome.google.com/webstore/detail/nos2x/kpgefcfmnafjgpblomihpgmejjdanjjp
On Mozilla:
https://addons.mozilla.org/en-US/firefox/addon/nos2x-fox/
Both with built in wallet:
iOS:
Discussion
so this way, only the extension has your key… the sites requests a unique signature for each event, and the extension generates that sig from your key, and just passes that single use signature to the site. The site never knows your nsec. You don’t have to trust all the new sites that pop up. I even have zap buttons on my personal website that one can sign with an extension.
Thank you for responding. I’m still skeptical this would be a better security posture.
Attack Surface:
By installing a browser extension (or any software) you increase the attack surface on that device. The less you install, the fewer bugs you might have for attackers to exploit.
Third Party:
Why share your key with a third party extension instead of sharing it directly and only with the site you want to use. Like a bitcoin private key, I would not share it with a third party and instead only input it directly into the wallet I intend to have it.
I understand that an extension may offer features or convenience, but am skeptical that it is a more secure solution.
Yes exactly by giving 30 pwa’s your nsec you are increasing your attack surface far more than a single browser extension.