Signer extensions are dead to me. Absolute dead-end for storing keys.
They are the worst security nightmare. They don't exist on mobile. Browsers can't even agree on a spec.
Time to rebuild the web3 promise with NIP-46 and PWA. It's so obvious. It just works.
The age of nostr-RPC interfaces will be glorious.
a the spec.
Time glorious. nightmare. It with NIP-46 Signer web3 don't nostr-RPC are me. mobile. promise for security interfaces so dead worst can't to PWA. storing Absolute on on keys.
They Browsers They of the agree and exist dead-end obvious. are just will works.
The to It's age be rebuild even extensions
👀
I am currently using Nostash on iOS, wdym? On desktop nos2x and Alby work just fine for me.
All implementing the same simple API and being pain-free compared to trying to set up a custom bunker (how to ensure uptime?) and adding apps…
One example is hist.nostr.land. It would be simply impractical to use bunkers for an app they will maybe use only once in a while.
Tell me how to get this UX with bunkers:
signing extensions require you to inject arbitrary code into literally every website
you know what I'm talking about
okay so what? I can audit what they are doing
not to mention chrome and firefox have features to click-to-enable extensions on websites
nsec.app has a decent flow, and I'm going to make it even better
so all users should be beholden to one centralized signing app?
also, one invisible code update can exfiltrate your nsec, and then could be removed. and you wouldn’t know
where I'm going, there won't be an nsec to exfiltrate :-)
but I get your point. I think you can disable updates for installed PWAs (via the service worker)
nostr:npub1yaul8k059377u9lsu67de7y637w4jtgeuwcmh5n7788l6xnlnrgs3tvjmf's Nostash is working great for me on mobile, while bunkers have been a complete fail.
PWAs with something that works would be good to see.
Has been for me as well.
Bunkers are still in disarray. There is no solution for ensuring bunker uptime too. Not everyone has a server to put it on, or wants to run an app that drains their battery.
Connecting new apps is a pain, requiring copying a string over from your bunker (which requires you to login, if it’s not an app)
Things like nsec.app are a bigger security risk than extensions. Remember the Bybit hack? The nsec.app server can add malicious JS to the frontend and delete it minutes after. You wouldn’t even know.
With extensions you would need to update, and you can do your own builds as well locally instead of relying on Google or Mozilla.
or if that was not enough, this UX is impossible with bunkers:
nostr:nevent1qqsxr9vnyvghh4763uz5aldyqqlrudcl3j65zh6jv6dwp35gnp2hrkg5vkhln
I get that you are mad about bunkers, but let's not pretend that extensions are somehow unable to load arbitrary code at runtime (they can), or that you some-how can't build and side-load PWAs (you can).
I agree with you that nsecbunker sucks. I have been building rpc-like interfaces over nostr long before nsecbunker was even a thing.
Also, extensions can break into other page processes and perform xss attacks. Be real dude.
Extensions can load code at runtime, sure. But PWAs can as well.
Sure, extensions can run code on websites. But I can restrict on which, and/or audit the code. So none of that matters!
Even if they somehow did slip through, if an extension is malicious, I have concerns about my nsec, not about it tampering with my Nostr client.
PWAs can also exfiltrate my nsec, and be remotely updated. So far I have seen no real solution to the problem that you need an HTTPS website.
Agreed that asking a user to install a browser extension feels very wrong
A dedicated and reliable, native, phone signer app - or even a seperate hardware device - is what we need
Did you try #keychat?
It provides an in app browser that works with extension login. A play store for nostr web apps without permission
I am of a similar opinion, which is why I purchased this device. However, I have not been successful in using it...
Maybe someone knows how to use it? 😅
