Someone just asked me this:
Do nostr clients just promise pinky swear they won't steal your identity after you use your private key to "log in?"
What’s the proper answer? #asknostr
Discussion
Clients should allow signing trough extensions like alby or Nos2x, else yes 🙌 nothing prevents a client from taking your key if they are malicious
I would think the same could hypothetically be asked of these browser extensions? No? And if you’re on an iOS or android app the answer can’t be “use browser extension” bc it’s not possible
True the buck stops somewhere, Nos2x is developed by fiatjaf, so I guess you gotta trust him 😄 or the alby team and for iOS there is Nostore
no, but your phone is
That is why open source is so important!
Technically you never "log in", if you're on a website, you typically identify yourself with your npub (if you gave your nsec, the browser keeps that locally and works out the npub and gives that to the website). Then when you use the site, your browser signs all your posts on your behalf.
No one but you and your computer sees the private key. Malware may figure out how to steal your key from your computer but they don't pinky promise nothing.
If you use an app, hopefully you've chosen an open source and well trusted app. If you have, then you already know that the nsec is kept on your mobile phone and not given to the app developers. If you did not, let's say yes, they pinky promise. But you shouldn't trust a pinky promise.
Thank you. That makes sense
That's assuming that there is no bad actors or that there wont be malicious actors when nostr catches on. We shouldn't normalise pasting any kind of private keys into any kind of app, website or browser. That's why we have signing devices.
Let's give more valid options:
1. Open source software with auto updates turned off (eg. Browser extensions like Alby)
2. Open source with updates off like apps from fdroid.
3. Hardware signing devices like Ben arcs esp32 device.
4. Nostr nsecbunker on a 247 server.
1 and 2 are objectively riskier than 3 and 4 because 3 and 4 are more likely to have your nsec stored on a device with less consumer grade software and less casual and social activities performed on them making them less likely to receive malware and viruses.
So you mean extensions like Alby as Signing Devices or some hardware devices?
Extensions, a local wallet or a hardware device. Anything device that signs your request local before broadcasting them to the network. Just like we know it from Bitcoin. So yeah Alby, Electrum, anything is better than copying a private key into a website or app.
The browser signing extensions have a lot of eyes on them.
For example, I run a firewall that monitors every packet in and out, if any of the signing extensions I use were sending private keys out I'd know.
Other people also have their own ways of verifying, the codebas for these extensions are pretty small and not difficult to audit.
i think you would login with your pubkey, no?