Debating whether I should create a new npub since I put my nsec into the alby extension which compromises it to alby in a similar way people were up in arms over zbd
Discussion
Yet anouther reason I will never use alby for anything.
Alby says they don't store or have access to that key and it lives in the browser ext only. The plugin is OSS so I tend to believe em...
its definitely getting stored somewhere "in the cloud". whether thats alby or something else doesnt matter if its compromised but ill decide what to do with it after looking at the code. maybe its encrypted with the password
It does? lmk what you find.. also, check out keys.band if you're tired of nos2x.. it's different and the UI is kinda nice. (Based on nos2x code)
ok ive dug a little in github and yes, alby extension is encrypting with password and only storing to browser.storage.local so then it should only cross via cloud sync of the browser which is out of albys hands
of course, i dont have sync enabled so im missing something of how it happened
I didn't think that data was stored anywhere but locally, which is why if you install the extension to a new browser you have to reenter it.
This cant be true or theyve changed something as a recent install of the extension on a new machine and login resulted in the nsec being available
Let's ask em! nostr:npub1getal6ykt05fsz5nqu4uld09nfj3y3qxmv8crys4aeut53unfvlqr80nfm I thought the extension didn't store the nsec in a #cloud, does it?
Same with me, Vic.
alby and most crypto extensions for browsers store their data in a special secure cache, usually one provided by the desktop bus or similar in whatever operating system (gnome has one that used to be called seahorse).
similarly, most web apps store their keys in these little enclaves as well. it is better to keep the key isolated from the browser entirely though, but the security is relatively well defended.
