tipping point
I reported several security vulnerabilities to LNbits and they took months to fix and ignored it.
Alby did not follow basic security practices.
many HWWs are weak as shit
Nostr apps keep leaking nsecs every few months.
The reference Cashu mint is poorly designed and had on one case when I operated it duplicated funds.
What nostr clients leaked nsecs ?
Some clients were designed without XSS protection. I believe Coracle sent nsecs to an analytics providers for a while by accident. And a lot of other stuff.
if it was at one point and I have not heard of it so I decided to remove coracle.
Wait did people login coracle with their bare nsec ?
I've been paranoid about literally any xss for this reason. Outbox has me even more paranoid.
what about the outbox?
Outbox relay connections can spread through interactions and follows. If a client is vulnerable but a "trusted" relay was able to filter/block harmful events, an attacker can convince my client to connect directly to an malicious relay and possibly compromise my client.
is this a common knowledge in nostr relay operators and client devs?
Kind of. It's sort of a priority/trade off thing. Basic XSS can be easily mitigated, but the nature of nostr clients is that they're always fetching unknown and untrusted data from servers (relays) and it's often not a priority of the developer (or their AI vibe sessions) to consider the "what could happen if".
Unfortunately that’s true for many, and don’t get me started about random web extensions, that store your nsec in plain text in browser storage
Which is why I started this https://github.com/VnUgE/NVault. But it's far from being suitable. Still better than storing nsec in the browser though.
I get 404
No worries heres my central site. Most people only click on github links so that's what I share.
https://www.vaughnnugent.com/Resources/Software/Modules/NVault
I am making a highly secure extension addition for the Nostr Build Shack now, should hit public test release this weekend.
https://testflight.apple.com/join/qgkAMPgU Nostr Build Shack
i stumbled around and eventually landed on and read this post: https://www.vaughnnugent.com/blog/d9ab8a46cfa8d6bd59cf048fec8d73ffc44f881c 👍👍
Interesting write up
Agreed. Though if I'm being perfectly honest, the approach of "everything is insecure, so I should build my own tools - they'll be more secure!" can be an anti-pattern in the wrong hands. I don't know enough about nostr:npub1qdjn8j4gwgmkj3k5un775nq6q3q7mguv5tvajstmkdsqdja2havq03fqm7 or his work to say, but it's a very minor alarm bell.
Sometimes the whole ecosystem is improved more by talented and motivated individuals contributing to exiting projects that need help in the areas those individuals identify as weak points.
I tried to find clean and compliant libs for swift, just to end up writing my own on top of the standard libsecp256k1 instead of gluing together all the slop
This project doesn't already exist. Noscrypt was built so that others (including myself) are re-rolling their own nip44 crypto every time they want to create a messaging app. In the case of noscrypt the goal is to be as ubiquitous as openssl. Which btw, noscrypt is not hand-rolled, have a look.
Yes there is a judgement cast on "Im smarter and I can build it better" I don't have a good argument to that, it is what it is. My attempt was naivley was to help prevent that. Noscrypt is an "old" project relatively speaking, it is the existing project.
This blog is also a long-form note on a relay somewhere :)
I am bookmarking it. would be great to hear an update though when everyone can use it and test it?
Me too XD. Unfortunately it's on the backlog for now, I've got a git server to get up and running XD
It seems you and nostr:nprofile1qqsglv2qkn5dmmuhee9cy8fywfu2rfp4xd3xy0myqg2gfvmjl9yqqrqppemhxue69uhkummn9ekx7mp0qythwumn8ghj7un9d3shjtnwdaehgu3wvfskuep0qythwumn8ghj7un9d3shjtnswf5k6ctv9ehx2ap0crg0k2 are developing similar things. Are you two in collab? ☺️
He did and admitted to his mistake but I can’t remember how long it took nostr:nprofile1qqsgajr2e8ssj7vesefqdrhxkqpz8w8ryed2hvl79rakkwmw999de9spzamhxue69uhhyetvv9ujumn0wd68ytnzv9hxgtcpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsx8tnnv nostr:nprofile1qqsq6jfk99pzmkyn4u3v6nrpz75wxjr522ud90rn0jh2gjepgxvca5gprpmhxue69uhhyetvv9ujuumwdae8gtnnda3kjctvqyd8wumn8ghj7mn0wd68ytn0wfskuem9wp5kcmpwv3jhvnha6z0 what is that guys name with the porn stash ?
you're thinking of nostr:nprofile1qqsf03c2gsmx5ef4c9zmxvlew04gdh7u94afnknp33qvv3c94kvwxgsppemhxue69uhkummn9ekx7mp0qyvhwumn8ghj76rzwghxxmmjv93kcefwwdhkx6tpdshsc8fae9
That’s his name. 😂😂😂
😱😱😱
no!!!!!
ALBY:
btw, I couldn't reset password to alby. It worked once then when you login it will not work again after resetting it.
NOSTR:
On your 2nd point about nostr. I joined nostr last yr and when I joined I asked around about security. I don't believe I got a direct answer to it. I know 2 users here who had been breached. 1st user could not recover and she decided to leave. 2nd one, I guess he was famous here, forgot the name, he had to change acct. So it did not surprise me.
thankfully, I keep my nostr acct separate from my other stuff.
WALLET:
As for wallets, I do not use any of them.
I had issues with no-kyc exchange and spent my entire Sun troubelshooting them. I decided, I had enough so I left and did not pursue.
So I guess the lesson here is, to always protect and never trust the marketing hype. Keep everything quarantine.
If I lose this nostr acct and alby, I can afford it.
But I am not sure others can. 😔
