Avatar
Derek Ross 3y ago

**Attention new plebs that joined Nostr:**

While you're trying out new client, don't just go and enter your private key everywhere. This is like the private key for your bitcoin. You want to keep it safe. There's an extension that can help with this. Either [nos2x](https://chrome.google.com/webstore/detail/nos2x/kpgefcfmnafjgpblomihpgmejjdanjjp) or [GetAlby](https://chrome.google.com/webstore/detail/alby-bitcoin-lightning-wa/iokeahhehimjnekafflcihljlcjccdbe). These extensions essentially hold your private key and  help you sign transactions, so you don't have to enter them directly into a website. Once you have these installed, visit metadata.nostr.com and setup your profile picture and your NIP-05 ID. If you're using the Damus app, this doesn't apply to you. Enjoy!

Want a NIP-05 ID? nostrplebs.com can help you out with that. 🤝

Reply to this note

Please Login to reply.

Discussion

Avatar
Derek Ross 3y ago

You can also find all sorts of plebs to follow by looking at #Plebchain.

Avatar
QW 3y ago

And they follow back. 🙌🏻

Avatar
LIVEFOREVER 3y ago

ALL DAY LONG

#plebchain

Avatar
Keysa - Simplest Bitcoin Edu 3y ago

Can you say why it doesn't apply for Damus? I mean I know the extensions are on a desktop, but is it ok to enter a private key here in Damus? Or is there a safer way to get in here that you or anyone knows of?

Avatar
Derek Ross 3y ago

They key entered into the application shouldn't be vulnerable to an XSS attack.

Avatar
Keysa - Simplest Bitcoin Edu 3y ago

Ohh interesting thanks!

Avatar
Aaron 3y ago

Can you explain why entering my private key in Alby is safe?

Avatar
Derek Ross 3y ago

Entering your key into a website makes you vulnerable to XSS (cross site scripting) events. Using Alby or nos2x is safer. It's like a Bitcoin wallet / signing device.

Avatar
Aaron 3y ago

I still don’t understand why. Seems like I wouldn’t ever want to enter my private key for any reason other than it’s primary purpose

Avatar
Derek Ross 3y ago

That is the primary purpose though. To sign transactions. Not your keys, not your notes. If you feel safe doing that, that's on you. I'm just trying to give what's seen as best practice for your security. People have already lost their keys in XSS events in some clients.

Avatar
falsefaucet 3y ago

its primary purpose is authorize anything you do. clients ask for it so the client can log you in and allow you to follow accts (pubkeys), make posts, DMs etc.

personally i use nos2x, something similar to the nostr alby extension abilities.

nos2x was made by #[2] the dude who created the nostr protocol

Avatar
Mountain Yoda 3y ago

I think the idea is that you are one step removed with the private key in Alby. IE - Alby requests permission to usd your private key.

Where something’s like your initial Astral account has both your private and public keys in one “app”.

I could be totally off base on this and I’m sure someone more tech savy will intervene.

Avatar
Derek Ross 3y ago

With Astral, the private key is saved in your browser's local storage, but yes, you're not entirely off base here. The main thing to worry about is XSS vulnerabilities.

Avatar
Nyoro~n 3y ago

Correct me if I’m wrong, is this referring to the possibility of navigating to a link outside of the app that will bring the local storage along?

Is this still possible in Android without user interaction?

Avatar
Cameri🐦‍🔥 3y ago

You can build nos2x yourself and install it on your browser: https://github.com/fiatjaf/nos2x

Avatar
Derek Ross 3y ago

Yep! I built mine. That's what I run.

Avatar
Cameri🐦‍🔥 3y ago

Don’t trust, verify <3

Avatar
Petter ⚡ 3y ago

thanks

Avatar
signal_and_rage 3y ago

It’s not at all like your private key to your bitcoin

Avatar
Derek Ross 3y ago

Why isn't it? I use my bitcoin private key to sign transactions. I use my nostr private key to sign transactions. The analogy in that regard seems legit.

Avatar
Derek Ross 3y ago

Plus, if you read my context, I said "you want to keep it safe". Are you suggesting that people should NOT keep their bitcoin private keys safe?

Avatar
signal_and_rage 3y ago

*your keys much never touch a internet connected device* we ain’t their yet

Rotating nsec with NIP5 will be the standard

Avatar
Derek Ross 3y ago

that's a viable solution once everyone has a NIP-05. i like it. it would make people not lose followers as they do now when they switch keys. it would make burning you keys a much easier task for some.

Avatar
Aaron 3y ago

Thanks this is what I was getting at. Can you elaborate on what you mean about NIP5 and nsec?

Avatar
signal_and_rage 3y ago

On Damus, nsec… is your private key, so I mean npub… your public key will be rotated.

NIP5 allows you to rotate public keys with a domain name identifier that looks like an email

so every week I can just totale keys and the clients can add all my follows to my profile based on this domain name identifier rather than the public key

jack@no.str.cr is an example of what one looks like

Avatar
Locke 3y ago

Got my NIP-05 already good sir. Thank you for doing the lord's work.

Avatar
Derek Ross 3y ago

thank you and you're welcome.

Avatar
signal_and_rage 3y ago

oh good, I thought you were gonna say your keys were connected to your identity somehow, carry on

Avatar
Derek Ross 3y ago

Avatar
Jerry 3y ago

You dont need to goto nostrplebs...

if you are verified in nostr.directory using your twitter handle, you just need to update your nip05 with @nostr.directory

Report this so that we can spread this tip.

Avatar
CantillonEffet 3y ago

#[1]