f6
Dries 2y ago

One thing that has raised a red flag for me about #Nostr is the fact that several applications require users to provide their private key. Needless to say, this is not in line with security best practices, and could put a users data at risk. Am I wrong? Thoughts on that?

Reply to this note

Please Login to reply.

Discussion

Avatar
mark tyler 2y ago

You’re right. It’s evolving, I think everyone plans on having a new way of doing it where the key isn’t on a hot device eventually

Avatar
Bac0t 2y ago

you mean like apps keeping/recording private keys?

Avatar
anty 2y ago

I had exactly the same thought. I think there exists a solution where you store your key in a browser extension?

Haven't tested this, though.

f6
Dries 2y ago

I’ll investigate that browser extension. I appreciate it, anty! I might report back after I learned more.

Avatar
Kwinten 2y ago

You can use a browser extension like Alby to manage your private key while using web clients. I think there is also a NIP for remote signing. And you could create a whole range of readonly apps that only need pubkeys

f6
Dries 2y ago

I’ll investigate that browser extension and the NIP. Thank you, Kwinten!

Avatar
Bruno MASSA 2y ago

I thought the same since I stared here by reading your original post. We create a super secure private key and then... Give it to each and every client we try?

I should be a way to proxy it.

At least it could be like Bitwarden/LastPass approach: never saving it and putting it on memory only.

Avatar
kepford 2y ago

Key delegation looks like a promising solution.