Can you explain why entering my private key in Alby is safe?
**Attention new plebs that joined Nostr:**
While you're trying out new client, don't just go and enter your private key everywhere. This is like the private key for your bitcoin. You want to keep it safe. There's an extension that can help with this. Either [nos2x](https://chrome.google.com/webstore/detail/nos2x/kpgefcfmnafjgpblomihpgmejjdanjjp) or [GetAlby](https://chrome.google.com/webstore/detail/alby-bitcoin-lightning-wa/iokeahhehimjnekafflcihljlcjccdbe). These extensions essentially hold your private key and help you sign transactions, so you don't have to enter them directly into a website. Once you have these installed, visit metadata.nostr.com and setup your profile picture and your NIP-05 ID. If you're using the Damus app, this doesn't apply to you. Enjoy!
Want a NIP-05 ID? nostrplebs.com can help you out with that. 🤝
Discussion
Entering your key into a website makes you vulnerable to XSS (cross site scripting) events. Using Alby or nos2x is safer. It's like a Bitcoin wallet / signing device.
I still don’t understand why. Seems like I wouldn’t ever want to enter my private key for any reason other than it’s primary purpose
That is the primary purpose though. To sign transactions. Not your keys, not your notes. If you feel safe doing that, that's on you. I'm just trying to give what's seen as best practice for your security. People have already lost their keys in XSS events in some clients.
its primary purpose is authorize anything you do. clients ask for it so the client can log you in and allow you to follow accts (pubkeys), make posts, DMs etc.
personally i use nos2x, something similar to the nostr alby extension abilities.
nos2x was made by #[2] the dude who created the nostr protocol
I think the idea is that you are one step removed with the private key in Alby. IE - Alby requests permission to usd your private key.
Where something’s like your initial Astral account has both your private and public keys in one “app”.
I could be totally off base on this and I’m sure someone more tech savy will intervene.
With Astral, the private key is saved in your browser's local storage, but yes, you're not entirely off base here. The main thing to worry about is XSS vulnerabilities.
Correct me if I’m wrong, is this referring to the possibility of navigating to a link outside of the app that will bring the local storage along?
Is this still possible in Android without user interaction?
You can build nos2x yourself and install it on your browser: https://github.com/fiatjaf/nos2x