Nostr Web Client

Course he could. He could push an update with a sophisticated backdoor, any nostr dev could. That update gets past app review, your app auto-updates, adeiu to your key. Just because there is a commit in github, doesn't mean that code is what's in the IPA. This is not F-droid.

the axiom 5mo ago

that's quite a lot of steps involving multiple people, likely to get caught and lead to real world consequences even if after the fact, at least it would destroy nostr:nprofile1qqsr9cvzwc652r4m83d86ykplrnm9dg5gwdvzzn8ameanlvut35wy3gpzdmhxw309aex2mrp0yhx5c34x5hxxmmdqyxhwumn8ghj7mn0wvhxcmmvqyg8wumn8ghj7mn0wd68ytnvv9hxgpywa92's reputation forever

very different from one employee from the homeserver hosting provider being tricked into giving access to the account of an important person to some malicious entity

like we have seen happen many times in every big platform

Reply to this note

Please Login to reply.

Discussion

the axiom 5mo ago

worse even is that someone can say something then claim it wasn't them later

lots of broken incentives you're missing

Garbage nsec 5mo ago

That just reinforces my point that pasted-in nsec security is reliant on social pressures and not technical ones.

the axiom 5mo ago

everything is like that

but of course the technology plays a big role in it, you're just larping

Garbage nsec 5mo ago

Lol. No. Some things can be prevented by technical means and not fingers crossed he’s a nice guy means.

the axiom 5mo ago

you're trying to imply that publishing a confidential message unencrypted but with a preamble that says "do not read" is exactly the same as using signal because signal could technically ship a compromised apk to you and leak your message

everything is social pressure and trust at some level

you're pretending to ignore that the levels of trust required are distinct

Garbage nsec 5mo ago

It's not though. On Nostr I operate under the assumption that someone already has my nsec, we all should do that. Because it's entirely possible. I bet at least one person has my nsec right now, maybe a few people. I'd never know. Nostr really does rely on social pressure so why bother trying to be secret?

But if I started again on Nostr and did only Frost and bunker and White Noise and all that, in that case it'd be different. That's still a really bad experience, so I'll wait. But the tech matters, you have to admit.

jb55 5mo ago

All good points in this thread, but i’ll still take a key i control over some rando server managed by someone else.

If you have lots of money tied to a key i probably wouldn’t use it in mobile apps that are hard to verify… i would read the source code and compile from source and just use notedeck.

Anyone not reading the source code and compiling it themselves has to trust someone, even in the keyserver case. The server case is even harder for people because people have phones, not computers with servers.

We are already lightyears ahead in comparison to legacy social media platforms and protocols, at least users have the ability to choose their risk tolerance levels with different clients. On legacy they can read your DMs and make posts on your behalf if they wanted to.

Garbage nsec 5mo ago

True. It's not only risk tolerance it's friction tolerance too.

Though to be fair I should give frost/igloo/bunkers and all that another go, maybe the experience is less friction-y than before. Try living on Nostr for a few weeks bunker only, see how it goes.