Nostr Web Client

welcome to nostr… its been a day and a lot of y’all have experienced damus, but did you know that is only one client? But when it’s time to set out and experience nostr in a browser, it’s important to protect your keys… so be sure to use a “nip 07” browser extension to visit as many nostr sites as you please with little concern.

On chrome:

https://chrome.google.com/webstore/detail/nos2x/kpgefcfmnafjgpblomihpgmejjdanjjp

On Mozilla:

https://addons.mozilla.org/en-US/firefox/addon/nos2x-fox/

Both with built in wallet:

https://getalby.com/

iOS:

https://apps.apple.com/us/app/nostore/id1666553677

Reply to this note

Please Login to reply.

Discussion

Relatively Irrelevant 2y ago

How does proving your private key to a third party browser extension improve security?

yunginter.net 2y ago

so this way, only the extension has your key… the sites requests a unique signature for each event, and the extension generates that sig from your key, and just passes that single use signature to the site. The site never knows your nsec. You don’t have to trust all the new sites that pop up. I even have zap buttons on my personal website that one can sign with an extension.

Relatively Irrelevant 2y ago

Thank you for responding. I’m still skeptical this would be a better security posture.

Attack Surface:

By installing a browser extension (or any software) you increase the attack surface on that device. The less you install, the fewer bugs you might have for attackers to exploit.

Third Party:

Why share your key with a third party extension instead of sharing it directly and only with the site you want to use. Like a bitcoin private key, I would not share it with a third party and instead only input it directly into the wallet I intend to have it.

I understand that an extension may offer features or convenience, but am skeptical that it is a more secure solution.

yunginter.net 2y ago

Yes exactly by giving 30 pwa’s your nsec you are increasing your attack surface far more than a single browser extension.

𝔻𝕠𝕞𝕚𝕟𝕚𝕔 2y ago

So if a web client doesn't offer the ability to use the extension (I use Alby) we should avoid it ? I see at least two that asked only the private key.

yunginter.net 2y ago

which ones?

sometimes I have to reload or clear cache (specially if I visited site before having the extension) and sometimes there is a “login with extension” or “login with nip 07” button

𝔻𝕠𝕞𝕚𝕟𝕚𝕔 2y ago

The two I remember, but there was another I forgotten.

#Nostrish

https://nostrich.com/

Astral.ninja

https://astral.ninja

yunginter.net 2y ago

haven’t heard of nostrich, you are correct I don’t see a button there

astrals old school, not sure it’s getting updates… there should be a “use pubkey from extension” button and then if you do require an event signing (like you try to post) from there it will go to the extension

short list but some I would check out

https://snort.social/

https://coracle.social/

https://primal.net/

https://iris.to/

https://habla.news/

I personally like this JP client that recently added English support

https://syusui-s.github.io/rabbit/

𝔻𝕠𝕞𝕚𝕟𝕚𝕔 2y ago

Thank you. I didn't know Habla. For now I use both Primal and Coracle. Rabbit is not in English...?!

yunginter.net 2y ago

Rabbit just launched English localization…so is now in English. It’s tweet deck style.

You can check this list for all the projects the Japanese be up to

https://github.com/nostr-jp/awesome-nostr-japan

𝔻𝕠𝕞𝕚𝕟𝕚𝕔 2y ago

Argh... I thought that was in Japanese because the dev have put both languages in same page 😁

yunginter.net 2y ago

Habla is cool, long form content nip 23, so you will see stuff there you might not find in every kind 1 content (most clients)

𝔻𝕠𝕞𝕚𝕟𝕚𝕔 2y ago

Here is another one : https://hamstr.to/

yunginter.net 2y ago

with that one I also get a “login with extension button”

I think this one is also kinda underconstruction compare to the list I sent in my other note

awesome nostr is an exhaustive & updated list but includes everything & everything seems to stay on there

𝔻𝕠𝕞𝕚𝕟𝕚𝕔 2y ago

Thank you to have checked it. I will clean my cache and try again. But I will retry all those you listed in your another post.

𝔻𝕠𝕞𝕚𝕟𝕚𝕔 2y ago

I never cleared the cache after I installed Alby. I will try this for next clients I will see that doesn't support extension. Thanks.