I'm at the point where I think we should start shaming web apps that allow you to paste a private key
Devs, do you REALLY want the responsibility of getting someone keys and having those keys compromised?
REALLY?!
Discussion
What is the workaround for users?
Meh, if you paste your private keys into a website that’s on you if they get compromised. Now if it was bitcoin private keys that’s a different story…
no, new users don't even know nip 07 exists, they think you need to go around pasting your key all over the place
for ppl with a bit of private key mgmt experience they see it as reckless and are taking aback immediately
I agree extensions should be heavily promoted and entering private keys heavily discouraged, but i still like having the option there
yeah, but that's for people like us who know what's going on
most clients that don't detect window.nostr simply hide the nip07 button so new users don't even realize that's an option
it's terrible!
Yeah i agree, promoting the extension needs to be an integral part of the onboarding process for clients
And it’s nice to have the option to enter a private key if I’m using a temp account for something and I don’t wanna bother setting it up with an extension
How do we onboard newbies who may look the other way if they realize they need to download another thing and set it up just to access the app?
installing an extension it's a one time thing, all apps should be directing you to login/register by pointing you there
except onboarding apps
onboarding apps for extreme newbies should be ok generating keys for you and letting you download them to experiment
Isn‘t that what Alby does? Never used it, but from what I‘ve read that‘s about what it’s supposed to do. @getAlby
Alby flow isn’t the best imo. I had issues setting it up myself. I think most newbies would drop off on it. Maybe 70% at least if I’m being generous.
speaking of which, we need more onboarding apps
they do nothing, just explain, briefly, what is nostr (without using the word "decentralized" since 99.999% ppl don't care about that), allow you to setup a profile, do some very basic interaction, but customized to capture top of the funnel
would be lit!
It already exist. It’s called Getcurrent.
It says power of bitcoin right on the landing page. This alone may scare off 99% of the people 😔
Ok, but I think it’s the closest you will get in terms of ease of on-boarding.
I don’t think you can play around with relays but it seems to be as straightforward as you can get for now.
I’ve reviewed the app once already, will take a fresh look later. I sent the video to the team but didn’t hear anything back.
As someone who didn’t used lightning till nostr, built in wallets feel like a scam, or at least make it seem like the intention is less about decentralization and more about proselytizing bitcoin.
I think built in wallets are ok, they just should be opt in, you should have the option to link any wallet you like, and then it’s presented as a convenience.
I think the point is that anybody that is just joining the system would not really understand how to manage keys.. and you would restrict to tech savvy people if you only allow external signers as an option
Maybe the focus should be on how to restore control of your identity in an easy way in the event your key gets compromised.
Imagine something very simple... I get a key pair when I sign up and I'm asked to also add a passphrase which generates another signature together with my key and that signature is part of my eventkind 0 profile
if in the event a hacker gets control of the key (without passphrase), I'll always be able to create any random new key pair and sign a new event with my old key + passphrase showing that I'm the real owner of the old key that now wants to move to the new key?
Something very simple that does not need bip39 or any other thing... but that most users would understand?
definitely key rotation/revocation is something we need to work on (I think is the last thing core to the protocol that is still kinda unresolved)
but that's unrelated to this; if an external signer is too hard for a user, key revocation is going to 1000000x harder.
Installing an extension is not hard, if anything, non-technical users tend to end up with a million shitty extensions they don't need; it could literally be a click away in most browsers
the current state of affairs is that even a simple warnings saying "install extension X, if you just paste your nsec here you might get rekt" even just that would be orders of magnitude better
(sorry for the rant, I could not sleep on the plane and I'm super tired 😂)
I think we need to keep in mind that normal user by the time we plan for key revocation. We can't make it difficult for average Joe... you may have eventually set ups for highly skilled privacy and security focused folks but we need to have something super simple that is a lot better than the current stage even if it's not perfectly nuclear war resistant
hopefully we find something simple enough that would cover majority of the common mistakes and then if someone wants more and more security tthey can use external signers (as I do) etc.