Replying to Avatar The Fishcake (nostr.build)

I am not claiming that I know the code well en, so take my comments with a grain of salt. If signing is done at the client and key is never known to nsecbunker in its plain form, then only client has the access, if not, then server has the access. nostr:npub1l2vyh47mk2p0qlsku7hg0vn29faehy9hy34ygaclpn66ukqp3afqutajft will be able to confirm one or the other way. 🐶🐾🫡

Avatar
Steven Day 1y ago

From the site: “Your nostr keys are stored encrypted with a passphrase you provide and must be decrypted by you before they can be used”

Reply to this note

Please Login to reply.

Discussion

Avatar
Luxas 1y ago

So is your passphrase salted? Is that saved somewhere? Or you have to enter each time to decrypt and sign?

Avatar
The Fishcake (nostr.build) 1y ago

Don’t trust, verify! 🐶🐾🫡

nostr:note1pzcttlcgylnxlnry4ul4px02se9q8e4nd07f23rp7v2ke52zy3yshyf9wf

Avatar
Luxas 1y ago

So passphrase is only used at runtime and not stored in mem?

Avatar
The Fishcake (nostr.build) 1y ago

I don’t know but if the service has access to both (encrypted nsec and passphrase), then it is not hard to get a clear text nsec. It is clearly stored in mem since it’s in variable 🐶🐾🫡