What if the server is compromised? Can't they just have a malicious code in .js that sends every information(like private key away) to the attacker?
So the client types in the password and it is sent away with the already decrypted or encrypted nsec?
Sure, this is true of any computer keeping a secret or any app where you enter your nsec or your Lightning node keys.
The idea is reducing to a minimum the surface area.
One place where you store your key and everything else uses remotely > entering your nsec on every nostr app
What about extension or desktop/phone apps, software. It would be way harder to push any malicious code out as you can have update being restricted to only signed updates that means the doesn't need to trust the server where they get the update from, which is not true for web apps, everytime using webapp they could be served with malicious code. I am not sure about what kind of update security extensions have but with desktop apps and on android this could be achived. The thing with other providers like facebook, twitter and etc is that they do not store an encryption key, if the password gets leaked they can always change it in their db( after they verified the user), which is not possible here as the only verification (and the "source of truth") is the private key.
nsecbunker is not a webapp though 😉
it has a web UI admin interface, but it's fully optional
phones as always-on devices tend to not be reliable enough
