Replying to Avatar Curiio

I really like this idea! My only concern is that it the Nostr private key would need to be send to the server because there's no JavaScript to sign events client side. This is quite a serious security concern.

A practical workaround of course would be to have a public instance of Nostr (like Iris.to) available via TOR without JavaScript and then an authenticated instance would require you to whitelist JavaScript for the site so it can sign events client side.

In regards to performance performance and user-experience I would assume it would be similar to Dread; a very popular alternative to Reddit that runs over TOR.

The only possible solution I can see without JavaScript running on the site is to have the server send the unsigned event in JSON to the browser for you copy and then you'd have to use an external piece of software such as browser extension or desktop app to sign the event which you can submit to the server. Of course if you're utilizing a plugin you could streamline this much better.

The latter is light-years away from ideal though and wouldn't be widely adopted. If we want these technologies to be used then we need to reduce the barrier to entry.

Of course these are my initial thoughts but if you have any solutions or criticisms then please let me know :)
Avatar
🇵🇸 whoever loves Digit 3mo ago

You nailed it with having the server send the unsigned event and letting the user copy it to a desktop app, imo.

A much easier barebones solution would just be to use ephemerals. 1 post per key

A possible futuristic solution would be having robust key rotation / key backup system on nostr, and a lot of different apps like these, so it's expected that keys get compromised sometimes, but then the network just purges the compromised keys and falls back on your remaining keys

Reply to this note

Please Login to reply.

Discussion

No replies yet.