Nostr Web Client

Unfortunately none of the mitigation strategies you listed address the core issue. This post does a good job of detailing why it‘s trivial to extract key material from a web app https://tonyarcieri.com/whats-wrong-with-webcrypto

iefan 🕊️ 2y ago

Yes, it's not 100% secure, but these mitigation practices definitely works. The more best practices you follow, the more expensive it becomes to exploit.

Even with native applications, governments literally pay billions of dollars for spyware named Pegasus, which can access your phone and they just have to send you a text DM.

But if you're asking whether it's secure enough to create a nostr clients and note app, I can assure you that it is. In fact, I believe it's even more capable than that.

But I also understand where you are coming from.

Reply to this note

Please Login to reply.

Discussion

tank 2y ago

The main issue I see is the low cost of the attack vs the reward, especially for wallets. It‘s basically impossible to detect an attack deployed via web server. E.g. a server could target specific IP addresses. In contrast it‘s easy to detect a malicious app update as it would have to be pushed to all client devices. A state level actor compromising devices is quite expensive to do at scale.