I'm struggling to work out how the Nos2X browser extension works.
How can I use a client's features as if I've given it my private key even though I haven't?
Discussion
Nos2x (like Alby or any other Nip07 extension) injects an object (script) into the web page that allows the browser to ask the extension to sign events rather than having to sign them within the page itself.
This is more secure because if the website got hacked and your private key was visible to the page (through a variable of some kind, which it would have to be if the web page itself was signing the events), then the hacker would have access to your private key and could use it for nefarious purposes. With the extension holding your key, and with the website unable to access any data stored by the extension, it's much more protected.
Even if the hacker used the extension to sign some events while you were on the page, the hacker still does not have access to your key and you could stop using that website without compromising the security of your key.
Of course, you have to trust the creator of the extension not to use your private key.
Excellent explanation. Thank you 🙏
Once I’m on a site I’m happy to “authorise forever” ie. Snort or Iris or Badges …
Signing happens on client side if you’re publishing events / notes - so it’s safer than sticking it in the browser directly.
Some people think extensions still aren’t that safe and that remote signer is safer - but remote signing isn’t available yet I don’t think so it’s just a better option than inputting directly to the website.
I’ve just signed out and back in to all mine using it. I’ve had the extension a while but never got round to using it. Can’t do it on Damus app though
I don’t think? You have to use the actual key
Surprising how important my private key becoming
