Nostr Web Client

Someone just asked me this:

Do nostr clients just promise pinky swear they won't steal your identity after you use your private key to "log in?"

What’s the proper answer? #asknostr

Technically you never "log in", if you're on a website, you typically identify yourself with your npub (if you gave your nsec, the browser keeps that locally and works out the npub and gives that to the website). Then when you use the site, your browser signs all your posts on your behalf.

No one but you and your computer sees the private key. Malware may figure out how to steal your key from your computer but they don't pinky promise nothing.

If you use an app, hopefully you've chosen an open source and well trusted app. If you have, then you already know that the nsec is kept on your mobile phone and not given to the app developers. If you did not, let's say yes, they pinky promise. But you shouldn't trust a pinky promise.

Reply to this note

Please Login to reply.

Discussion

Max DeMarco 2y ago

Thank you. That makes sense

Medici 2y ago

Can a browser sign anything with only a noun?

Medici 2y ago

Can a browser sign anything with only an npub? Spell check got me.

Big Barry Bitcoin 2y ago

No. A browser cannot sign anything with an npub, they can only use it to find things related to you that has already been signed and published (read only)

TheGrinder 2y ago

That's assuming that there is no bad actors or that there wont be malicious actors when nostr catches on. We shouldn't normalise pasting any kind of private keys into any kind of app, website or browser. That's why we have signing devices.

Big Barry Bitcoin 2y ago

Let's give more valid options:

1. Open source software with auto updates turned off (eg. Browser extensions like Alby)

2. Open source with updates off like apps from fdroid.

3. Hardware signing devices like Ben arcs esp32 device.

4. Nostr nsecbunker on a 247 server.

1 and 2 are objectively riskier than 3 and 4 because 3 and 4 are more likely to have your nsec stored on a device with less consumer grade software and less casual and social activities performed on them making them less likely to receive malware and viruses.

Moritz 2y ago

You can switch of updates for browser extensions by going to the extension details page and toggle the switch next to "Allow automatic updating".

Newton 2y ago

How do I then update Alby extension?

Newton 2y ago

So you mean extensions like Alby as Signing Devices or some hardware devices?

TheGrinder 2y ago

Extensions, a local wallet or a hardware device. Anything device that signs your request local before broadcasting them to the network. Just like we know it from Bitcoin. So yeah Alby, Electrum, anything is better than copying a private key into a website or app.