Go to https://blowater.app and play with it. I will zap anybody 2100 if the issues is not duplicated from current GitHub issues.
I have 42K to zap. Valid until Sep 15th.
Also, I would consider removing the “input your private key here” section and only allow login vi extensions or creating the account directly within.
Private key into web browser is not practicing safe nsecs, and I feel like it shouldn’t be encouraged. Not a bug, but an opinion 🫡
The question comes down to: web extensions are just another web page so that the security level is the same. It comes down to whether you trust the app or not.
The problem on mobile is that there is no extension.
I thought there was a bigger difference, where an extension only saves the data on your device and the web page has more vulnerabilities or ability to leak data.
I don’t have the technical background to claim I know - this is just the impression I’ve gotten from many previous discussions on and about nostr
Extension is really just another web page with more system privileges than normal web pages. It can communicate with servers and peek your current webpage’s data without your permission. From this perspective it’s less secure than a normal webpage.
The narrative on Nostr is if you centralize your private key risk to a single extension that you trust, then you don’t have to trust individual Nostr clients. Meaning you still need to pick one extension that you trust. Extensions are not intrinsically safer.
Thank you; that makes sense. Those extended permissions are why I’ve still never put my primary nsec anywhere besides the client I generated it within. And I only add extensions to a browser other than the one I use for day to day use.
Appreciate the thoughtful reply 🙏
You are welcome and your secuirty awareness is very good.
