I don't know who needs to hear this, but: DO NOT NORMALIZE PASTING PRIVATE KEYS INTO WEBSITES
Discussion
A LOT of devs need to hear this
Totally agree. Onboarding new users to keys and safe key management is important. Its a tough problem to solve for new users. Chrome extensions in general are hard for users and Alby is super confusing.
Nostr web apps need a good new user workflow, and short video explainers, and super simple key manager.
I like the way streaming services let you login on the tv by using a QR code and your mobile device. It needs to be super easy.
Nostr connect needs broader support; check out how seenless the experience is using it on https://nostri.chat.
The fact that nostr connect doesn’t run in an extension is great because it transparently spans to non-browser apps
#[4]
Doesn’t display right on my iPhone SE 2020
Cut off to the right?
Ya
I should probably just minimize the widget on mobile so it looks like it displays on my personal site https://pablof7z.com
Followed #[2]
This ☝️
And if you really need to copy and paste somewhere, consoder splitting up your nsec so you never have the complete nsec in your clipboard. This will prevent accidentally sharing it (as happened a few times before)
My man, do you have many profiles? 😂
No just one, why? 🤔
Well you can't have badges without posting your nsec to the badge webapp and, with these words, normalize positing nsec to websites.. That being said, I literally award you with the Yes. badge if you say yes to badges 😂
And for Android apps like Amethyst? Same opinion?
Yes, though not sure there’s a good solution yet
What’s the alternative? Installing alby? It’s a terrible UX for a new user who is used to entering password and being done
That’s the trade off for not being tied to a specific instance
Not gonna scale whatsoever.
An alternative would be to use npub to log in and only ask for nsec if the user wants to sign an event. I think is worse UX though. Can't make everyone happy.
We need an “account” recovery process because people WILL mess up. That I can guarantee.
that still ultimately requires putting your nsec in an untrusted website which is a bad idea. I think the most "normie" friendly way to do things would be to ultimately be to have a way for people to delegate key management to "identity providers" that people register for with using a regular email that then handles their keys and signs messages over https (and does nip-05). This of course requires trusting the identity provider but provides account recovery and still provides the advantage of not being tied to a single relay.
Nostore App just went live on App Store - see Jack’s recent posts
I’m so happy to hear someone else complain about a shitty UI for #Alby. The Alby UI does NOT reinforce trust of the app.
It's fucking terrifying, man.
I'm seeing some absolutely shit security practices in play here, so just gonna sit back and offer commentary from the peanut gallery, and hopefully help mitigate some damage, or offer constructive suggestions for the platform moving forward.
Yeah, a lot of education will need to be done. But I think the n Ft generation will grow up knowing “not your keys, not you coins” and “not your keys, not your account”
Apparently a LOT of people. The badges website asked for nsec. Wtf?
You can login with extension
I'm not sure how that makes it any better TBH - It's just the extension sending the nsec for you effectively. No?
it does make it better, this is what the extension is for, no?
how elso do you login?
"how elso do you login?"
I do believe that is why we are indeed having this discussion - possibly highlighting something for further improvement.
Question has been answered and makes complete sense to me. Extension is effectively signing a message with your nsec.
Cool deal. People are on top of it. Very nice to see.
That's pretty much the best and only way I cant think of
Only asking for people that cant log in with extension but want to log in and create badges or accept them. I'm encouraging them to use Alby. How can they log in and do that without extension? Also all the code is open source.
I’ll give you mine. For only one Bitcoin. Anyone?
gm 🌞
When any website asks for NSEC I'm like it was fun knowing you.
#[0]
Is it okay to do so on Damus? Not seen a getalby type solution
💯 Badges were inevitable. But how badges are integrated into Nostr needs to be considered from a responsible security perspective.
And how to safely join via Amethyst / Damus app? A lot of people will ask this question.
Or any web interface like Astral and Co.
All the reckless Plebnation motherfucking rebells. ^^
Who does that!? 🤷♀️😅
Should not be an option, extension must be a mandantory access...
What's the equivalent to Nos2x for iOS? I don't like to paste them into a bunch of Testflight iOS apps either.
I haven't found a single browser on iOS that supports nos2x or Alby. I've tried a half dozen of them. I'm only using desktop clients for this reason.
#[0]
Imagine sharing your signing ability with everyone for a badge.
All nostriches should have the same private key. We are all Satoshi.
Sign in with extensions where possible.
Alby for chime browsers.
Nostore for iOS.
There's a lot of buzz around your post.
Added to the https://member.cash/hot feed
That went viral quickly!
Totally agree but if you want mass adoption this cloak and dagger sign in stuff will never ever work. Either NOSTR will remain niche or something other than the current sign in process has to be created. It's fine for us psychopaths but not the average Joe.
Or.... Just have a link on websites to the extension as the first option.
#[0] Agreed.
Agreed. And followed.
It’s not private then by definition
Having to use them in apps and browser extensions is scary enough. We should be able to sign nostr stuff with clicks on a hardware wallet.
This is the most prominent security risk that needs to be addressed
Totally agree. It’s bad enough that I didn’t roll my own entropy for my current nsec.
Dumb basketball question here, is there another way on Nostr? Besides typing them in?
alby can custody a key, and then you can use it on lots of sites
but you're still trusting alby
this is a fundamental problem with hardware private key storage
1. no standard way to export from one hardware device to another (not hard just no good standards)
2. no standard way to access signing and dh ops from a web browser
the result of these things is that people just throw away all good security in exchange for expedience
and the reason why #1 and #2 exist is because cryptographers have made security unnecessarily restrictive preventing low level operations from being accessible to developers
webcrypto standard exists, but zero keychain ops (why? no good reason)
pkcs11 is the death of good cryptography
Wen Ledger integration?
#[0]
Haha just saw this! #[6]
We need a solution for iOS clients.
Thank you for saying this out loud LOL
SO MANY PEOPLE NEED TO HEAR THIS
I’m glad to hear someone say this. I’ve seen a couple options where you could enter your keys online somewhere and I thought, nope!
I wouldn’t do that with my Bitcoin keys, why would I do that here? I thought maybe I was missing something. I feel like the only time they should touch something online is when you’re logging in and even then, you’re “copying” it from something physical or air gapped.