#askNostr Why do many clients say that logging in with the private key is not secure, and some, like Coracle, don't even allow it? Isn't the private key transmitted over HTTPS, just like any password? What is insecure?
Discussion
What is insecure is that your private key IS YOU on Nostr. Therefore, sharing it with an application risks that app dev, or any other service they have as a dependency, having access to pose as you.
OK, but doesn't a signing share the same private key with the app?
That's the beautiful part. A signed message does not reveal the private key used to sign it, only that it legitimately belongs to the public key.
Obviously! Thank you sir. Getting a signing extension now. 😃
Are the signing extensions only for web apps? What about phone apps? Does the phone app store your private key locally and sign things, acting like a signing extension?
The extensions like Alby and Nos2x are just for web apps.
What's available for mobile apps depends on your operating system. There aren't currently any signer apps available for iOS. On Android we have #Amber, though, and it's fantastic!
It can be a challenge to figure out which apps actually work with a signer app, though. Here's my wiki article with as complete a list as I have been able to compile:
nostr:naddr1qq4xummnw3ez6cmvd9jkuarn94mkjarg94jhsar9wfhxzmpdwd5kwmn9wgkhxatswphhyaqpzdmhxue69uhhwmm59e6hg7r09ehkuef0qgstwf6d9r37nqalwgxmfd9p9gclt3l0yc3jp5zuyhkfqjy6extz3jcrqsqqq7rzceaccg
It is like the equivalent of posting a bitcoin wallet seed phrase in locations accessible to others.
You're trusting the devs, or the third party services they use, to not rug you.
There are signers you can use. Amber is one of them. It is an open source signing app that stores your info on your local device.
You're trusting the client handles the key appropriately and doesn't store it or leak it in the future or worse do something malicious on purpose. Logging in with PK is handing your PK to the client. Doesn't really matter if it's securely transmitted. Use a signing extension on web (nos2x) or a signing app on mobile. (Amber)