Until someone implements some way to rotate keys it just seems like a matter of time before an exploit in Firefox or smth like that causes a thousand people to permanently lose their accounts. That seems like a much bigger issue with NOSTR than theoretical censorship (which is solved by installing a web browser, and if someone can't figure that out, I don't particularly want to talk to them anyway.)
Discussion
You can create a new account in 1 second
Spammers use this neat little trick every second or every day
That's not really the most important downside of other people getting access.
How? Everything is encrypted with you key
You can download all the data from a relay yourself right now on anyone
The bigger issues are access to encrypted messages, using popular accounts for scams, existing users with big followings not being able to recover them, things like that.
Like imagine if Chrome had some exploit where hackers were able to read the contents of browser extensions under certain conditions, a hacker sat on it for a year and collected the keypairs of Fiatjaf, Gleason, Will, Dorsey, all the big names, and then used them all at once to shill some kind of fake KickFundMe or crypto scam.
You know these dumb niggers would fall for it and you know a lot of the more casual browsers wouldn't move to their new keypair.
NOSTR has a lot going for it but it seems like a security nightmare just waiting to happen.
Yeah good point
They sure have a lot of work to do. The infrastructure side is still terrible and the censorship game is growing.
Which domino will collapse first ?
Is the censorship game really growing? Things seem mostly fine right now.
Maybe it will come back in a big way in a few years but rn the priority for NOSTR should probably be better security (no one is working on this afaik), better onboarding (people are working on this), and a decent algorithm to help people find content suited to them without crawling through firehose hell and dead hashtags (It looks like maybe some people are working on this? But I couldn't figure out how it was supposed to work last time I used NOSTR)
Yes
WoT relays are growing , and big apps are now censoring users like crazy based on user reports . WoT relays are using the same social credit score algorithm to auto-block users
That's funny. I've been on Threads for the past month saying whatever I want and the only issue I ever ran into was getting mislabelled as spam a few times, but every time I appeal, it gets resolved within a couple of hours. Meanwhile NOSTR is ramping censorship up 🤣
A time where the mainstream Web2 sites are loosening their moderation and taking a relatively free speech approach is not a time where you want to make things worse on alt platforms.
NOSTR has to do something though, no barrier to entry puts all the burden on clients and Web of Trust isn't enough to solve the problem on its own. You have to have some kind of system to make the calculation for who's real and who isn't for NOSTR to work. Maybe paid relays really are the only way to make it work.
Eventually you'll probably be able to pick out bots more reliably with AI though so maybe the issue will fix itself in a few years. Hard to say.
I really hope the "big names" are using dedicated clients. Web extensions are convenient and user-friendly (I'm using one now) but the attack surface is comparatively large.
No real getting around that tradeoff, other than encouraging experienced users to try different clients.
I would expect it's much more likely that a client would have a vulnerability that allowed attackers to obtain private keys (this already happened with lume) and if there were a vulnerability in safari, chromium, firefox etc it would be used for a much more valuable target than nostr private keys at which point it would be identified and patched.
Actually, stupid me, I bet a lot of people aren't even using extensions to login, so probably all it takes for a mass hack on NOSTR is one new client who accidentally secures their server improperly, or for an impersonator to hang around for a few months.
Nope
A hacker can access a nostr database and it will mean dick
