maybe somebody already asked this before but why is it recommended to use extension to login web clients and not on mobile clients/apps #asknostr
Discussion
Good question
One must never expose private key material to the DOM
i guess nobody gives a shit 😂 or im shadowbanned 🤷🏻♂️
Something about securing your private key.
I'm not an expert on it, but my understanding is if you c/p your private key into a web client, you risk 2 things:
1. The web client could be dodgy and actually send your nsec to their server
2. Even if the web client isn't dodgy, your nsec will be stored in a cookie and that can be leaked through exploits / undiscovered bugs.
The extension is meant to mitigate these things. You're still taking a small leap of faith in trusting the extension, but it's a lot better than trusting the bazillion different clients instead.
Don't trust you nsec to web browsers. The more places you input it directly, the more attack vectors there are for figuring out what it is.