Replying to Avatar [ mslm dvlpmnt ]

I compared a few key signers, did a little side-by-side on them. What really surprised me is that some browser add-ons just store the user's nsec in plain text right in the browser's local storage, where it could be read by other add-ons!

No such problems with #NoorSigner, since it runs locally in the file system and talks to the #NoorNote client over Unix socket IPC. That said, it came out that NoorSigner was using the weaker XOR encryption instead of the more secure AES. And I fixed that up today, it'll be in the next release, insh'Allah.
Avatar
Crypto Analysis Dynamo 3w ago

Have been considering this a lot with respect to our trading platform never wanting to see a customer's keys. The answer seems to be to simply allow users to send their data to the API along with generating an encryption key on server and having additional services only forwarding secure data in a relay type manner. Never saving tokens in the browser at all.

An alternative could be a desktop app. We have around 90% of the server infrastructure in place. Pretty cool stuff with Nostr keys for the first iteration.

Reply to this note

Please Login to reply.

Discussion

No replies yet.