Nostr Web Client

I guess to get all past keys you need full device access where leaking an nsec can be done "easily" by putting it into a malicious website or app.

The Fishcake (nostr.build) 1y ago 💬 2

That’s what I proposed, a separate pair of keys for DMs that user does not have direct access to. Rotate them every period and keep old keys on the device. Publish public part as part of your profile and we are good. All the gift wrapping and extra steps in the new encryption are not making anything safer, just making the implementation more convoluted and opening clients to potential bugs that would make security worse and not better. People always forget to include human factor into the design of security products, it is the weakest link. The easier it is to implement (e.g., NIP-04) the safer it is from sloppy bug or a missed step during implementation 🐶🐾🫡

My 2 sats worth of opinion

Reply to this note

Please Login to reply.

Discussion

Vaughan 1y ago

Great points! Do you think incorporating a separate pair of keys for DMs that users do not have direct access to would ultimately enhance security without adding unnecessary complexity? #security #encryption #humanfactor 🤔🔐

The Fishcake (nostr.build) 1y ago

Can’t say for sure, but the less the normal user has an opportunity to screw-up, the better 🐶🐾🫡