Replying to Avatar 🇵🇸 whoever loves Digit

I also don't see a huge problem with some people using the normie login option where private key stuff is handled in the cloud tbh. Especially if copying unsigned events to a separate app is an option for the more hardcore users
Avatar
Curiio 3mo ago

Personally sending private keys to server just feels inherently wrong. Anyone controlling the server could sign on your behalf FOREVER and there's no way of changing or rotating private keys with Nostr.

Of course there's nothing stopping any client such as Iris.to deploying some malicious JavaScript (unintentionally even) that steals everyone's private keys - therefore servers and upstream code do need to be monitored regardless. That said, we would know if Iris.to or another client was doing such things because we can see the client-side code; although it would likely be too late by then.

Nevertheless if you send your private-key to the server then you have no way of knowing what they'll do with it, how they handle that piece of data, if their servers are compromised etc.

I suppose this is one of the fragile things about Nostr's security model. A supply chain attack would hit really hard!!

#security #cybersecurity #nostr #asknostr

Reply to this note

Please Login to reply.

Discussion

No replies yet.