Avatar
jleger2023 2y ago

***WHY USING A NIP07 EXTENSION FOR BROWSER NOSTR APPS IS MORE SECURE***

*I just explained Nip07 to someone and figured if one person wanted to understand how the extensions work, others would also. This is an expanded explanation.*

**First, let me illustrate:** imagine that somebody wanted to rob your house and tried to pick your pocket for the key -- but you didn't have the key on you because it was safely stored in a locked place the robber cannot access. The robber would be out of luck.

The Nip07 extension is the safe that the web site stores your private Nostr key so a hacker cannot compromise your account.

**Now for the technicals (but not too technical):**

Nos2x, Alby and any other Nip07 extension injects an object (script) into the web page that allows the browser to ask the extension to sign events rather than having to sign them within the page itself.

That is, each time you want to post a note or Like a note, it hands the request to the extension which "signs" the event with the key that only the extension has access to. Unless the event is properly signed the relay will not accept it because it hasn't been verified as coming from your account.

This is more secure because if the website got hacked and your private key was visible to the page (which it has to be if the page itself is doing the signing), then the hacker would have access to your private key and could use it for nefarious purposes. With the extension holding your key, and with the website unable to access any data stored by the extension, it's much more protected.

Even if the hacker used the extension to sign some events while you were on the page, the hacker still does not have access to your key and you could stop using that website without compromising the security of your key.

Of course, you have to trust the creator of the extension not to use your private key and to handle it securely, but it's certainly much better than the website itself holding the key.

Native phone apps are already much more secure in this regard, so they don't need an extension. It's very difficult to "hack" a phone app and inject code into it. The app stores scan for viruses and do pattern matching and such to make sure apps are "safe". Websites do not have these security measures generally. You still need to trust the app maker, but again, it's much safer than a website handling your key.

**So always use a Nip07 extension if you're using a web-based Nostr client.**

Reply to this note

Please Login to reply.

Discussion

No replies yet.