Nostr Web Client

The issues you mentioned are well-known in web development, not limited to PWAs. Online documentation offers excellent resources for best practices to address these problems. Services like Vercel simplify server configuration.

I recommend using Next.js to create your website. It offers server-side rendering and enable edge location, enhancing performance. It also supports Content Security Policy (CSP) to minimize XSS attacks. Additionally, it includes default PWA support.

Server-side rendering provides unlimited power and consistent user experiences across devices, it's a game-changer for developers and users don't even have to update the app.

tank 2y ago

Unfortunately none of the mitigation strategies you listed address the core issue. This post does a good job of detailing why it‘s trivial to extract key material from a web app https://tonyarcieri.com/whats-wrong-with-webcrypto

Reply to this note

Please Login to reply.

Discussion

iefan 🕊️ 2y ago

Yes, it's not 100% secure, but these mitigation practices definitely works. The more best practices you follow, the more expensive it becomes to exploit.

Even with native applications, governments literally pay billions of dollars for spyware named Pegasus, which can access your phone and they just have to send you a text DM.

But if you're asking whether it's secure enough to create a nostr clients and note app, I can assure you that it is. In fact, I believe it's even more capable than that.

But I also understand where you are coming from.

tank 2y ago

The main issue I see is the low cost of the attack vs the reward, especially for wallets. It‘s basically impossible to detect an attack deployed via web server. E.g. a server could target specific IP addresses. In contrast it‘s easy to detect a malicious app update as it would have to be pushed to all client devices. A state level actor compromising devices is quite expensive to do at scale.