What tools? Nsec app stores everything locally
Discussion
Says you. A developer, either accidentally or on purpose, could very easily send that key to anywhere they want (or don't want in an accident). It isn't that hard to have an input prompt send the input to an email address. Attackers will create fake or copycat tools that do this exactly. It already happens with Bitcoin keys and even account usernames and passwords. It has been a problem for years.
Most people are going to use a single key for convenience and it only takes one instance to be completely rekt.
I don't have a specific solution other than something like an air gapped hardware device, but I am convinced that people will get rekt.
And any tool that asks for it. Anywhere you type it in and click submit.
It’s true but at this point we have a few trusted tools by trusted devs and I’m sure you can check the code for yourself. At least we are not dealing with money. As the protocol matures we’d definitely want to scrutinize any new auth mechanism.
Yes, but "at this point" of Nostr is when we should be discussing these ideas. This should have been an issue from the start. Auditing every application constantly (because you have to any time it updates) is absolutely not a solution and I bet pretty much no one has done it.
I didn't go audit the entire Primal codebase to make sure they aren't sending my key to a database or storing it insecurely on my device. And centralized trust isn't exactly a great model. That's one of the reasons Nostr and Bitcoin even exist.
I'm just applying the same principles of Bitcoin cold storage to Nostr apps and services.
It's not like I can have a hot wallet with a small amount of my social identity. It's all or nothing in this context.