nsec is just a different representation than the hex of your private key. The only protection it gives you is that it starts with nsec1 so that you know you are pasting a secret instead of a public key.
Discussion
Yeah, that's what I thought. That doesn't make me feel good. I don't want to be typing that into a web page.
How do the alby/nos2x extensions solve this problem?
>From: cameri at 03/05/23 07:49:08 on wss://atlas.nostr.land
>---------------
>nsec is just a different representation than the hex of your private key. The only protection it gives you is that it starts with nsec1 so that you know you are pasting a secret instead of a public key.
You can download the nos2x extension and trust Fiatjaf, or you can go to the repo and compile it yourself.
You will then paste your hex or nsec private key on the extension settings.
When a website asks you to provide your public key, sign an event or encrypt/decrypt it will use the extensions functions to do it.
The details on how it works are explained here: https://nips.be/07
The extension exposes a few functions that Nostr web clients can use and your nsec never touches their application.
What about if one is using a client in a mobile browser?, I have not been able to see neither Alby nor Nos2x in the iOS App Store.
I think on mobile, a browser called Kiwi lets you install desktop extensions. I’ve never used it but I’ve heard it works.
Thanks I’ll check it out, just looking for alternative options, cheers 👍🏼
I'll try to have nos2x-fox working for Firefox Mobile (thanks to a contribution). Not sure how it will work though.
If I have it running soon, I'll post it here.
New version of nos2x-fox for Firefox mobile just released.
Check this note with instructions:
note:note10sqgdxulup65vrsclaunek2ptgx27ud3as2kwsqgua4dfj38hmhs74rkz6
Trying new method for linking the note
#[7]
#note10sqgdxulup65vrsclaunek2ptgx27ud3as2kwsqgua4dfj38hmhs74rkz6
This is great!
What's great? I must not be on the relays that had the "great" message.
>From: bastero<-Bitkarrot at 03/05/23 17:29:58 on wss://puravida.nostr.land
>---------------
>This is great!
It’s coming 🌚 to a relay near you
😅 I broadcasted the previous messages , hope you can get a better idea of what the conversation was about.
I'm seeing them using Damus. Damus doesn't show me what relays a message comes in on (as far as I can tell.) More-speech isn't seeing them for some reason. Maybe related to my recent #p change. I'm reading everything from eden.nostr.land, nostr.nilou.lol, atlast.nostr.land, and puravida.nostr.landright right now.
>From: cameri at 03/05/23 19:24:15 on wss://nostr.oxtr.dev
>---------------
>😅 I broadcasted the previous messages , hope you can get a better idea of what the conversation was about.
Overall, I’ve learned my lesson about Nostr security here, but specifically for badges.page, what’s the risk level? It’s built by someone well known in the community and used by many. Am I compromised?