its definitely getting stored somewhere "in the cloud". whether thats alby or something else doesnt matter if its compromised but ill decide what to do with it after looking at the code. maybe its encrypted with the password
Discussion
It does? lmk what you find.. also, check out keys.band if you're tired of nos2x.. it's different and the UI is kinda nice. (Based on nos2x code)
ok ive dug a little in github and yes, alby extension is encrypting with password and only storing to browser.storage.local so then it should only cross via cloud sync of the browser which is out of albys hands
of course, i dont have sync enabled so im missing something of how it happened
Your keys do not leave your machine with Alby extension. We can't see basically anything you are doing with your extension.
The code for it is here: https://github.com/getAlby/lightning-browser-extension
I concur based on the codebase. reviewed it the other day and im left with either.
a) an extension that doesnt match the published code (unlikely)
b) browser sync itself not working the way it claims (unlikely as it would be a major privacy and security violation)
c) what i thought was population of private key wasnt the same (very possible and ill test this theory next time i wipe the laptop)
c is what im going with, and may result from the whole master key set or unset. i think alby prompted or suggested setting and then derives a key from that? which would populate the field but have no way to match existing key derived by other means.
Would you like to hop on a call with us to clarify, or if you found any security bugs?