Some clients were designed without XSS protection. I believe Coracle sent nsecs to an analytics providers for a while by accident. And a lot of other stuff.
Discussion
if it was at one point and I have not heard of it so I decided to remove coracle.
Wait did people login coracle with their bare nsec ?
I've been paranoid about literally any xss for this reason. Outbox has me even more paranoid.
what about the outbox?
Outbox relay connections can spread through interactions and follows. If a client is vulnerable but a "trusted" relay was able to filter/block harmful events, an attacker can convince my client to connect directly to an malicious relay and possibly compromise my client.
is this a common knowledge in nostr relay operators and client devs?
Kind of. It's sort of a priority/trade off thing. Basic XSS can be easily mitigated, but the nature of nostr clients is that they're always fetching unknown and untrusted data from servers (relays) and it's often not a priority of the developer (or their AI vibe sessions) to consider the "what could happen if".
Unfortunately thatβs true for many, and donβt get me started about random web extensions, that store your nsec in plain text in browser storage
Which is why I started this https://github.com/VnUgE/NVault. But it's far from being suitable. Still better than storing nsec in the browser though.
I get 404
No worries heres my central site. Most people only click on github links so that's what I share.
https://www.vaughnnugent.com/Resources/Software/Modules/NVault
I am making a highly secure extension addition for the Nostr Build Shack now, should hit public test release this weekend.
https://testflight.apple.com/join/qgkAMPgU Nostr Build Shack
i stumbled around and eventually landed on and read this post: https://www.vaughnnugent.com/blog/d9ab8a46cfa8d6bd59cf048fec8d73ffc44f881c ππ
Interesting write up
Agreed. Though if I'm being perfectly honest, the approach of "everything is insecure, so I should build my own tools - they'll be more secure!" can be an anti-pattern in the wrong hands. I don't know enough about nostr:npub1qdjn8j4gwgmkj3k5un775nq6q3q7mguv5tvajstmkdsqdja2havq03fqm7 or his work to say, but it's a very minor alarm bell.
Sometimes the whole ecosystem is improved more by talented and motivated individuals contributing to exiting projects that need help in the areas those individuals identify as weak points.
I tried to find clean and compliant libs for swift, just to end up writing my own on top of the standard libsecp256k1 instead of gluing together all the slop
This project doesn't already exist. Noscrypt was built so that others (including myself) are re-rolling their own nip44 crypto every time they want to create a messaging app. In the case of noscrypt the goal is to be as ubiquitous as openssl. Which btw, noscrypt is not hand-rolled, have a look.
Yes there is a judgement cast on "Im smarter and I can build it better" I don't have a good argument to that, it is what it is. My attempt was naivley was to help prevent that. Noscrypt is an "old" project relatively speaking, it is the existing project.
This blog is also a long-form note on a relay somewhere :)
I am bookmarking it. would be great to hear an update though when everyone can use it and test it?
Me too XD. Unfortunately it's on the backlog for now, I've got a git server to get up and running XD
It seems you and nostr:nprofile1qqsglv2qkn5dmmuhee9cy8fywfu2rfp4xd3xy0myqg2gfvmjl9yqqrqppemhxue69uhkummn9ekx7mp0qythwumn8ghj7un9d3shjtnwdaehgu3wvfskuep0qythwumn8ghj7un9d3shjtnswf5k6ctv9ehx2ap0crg0k2 are developing similar things. Are you two in collab? βΊοΈ
He did and admitted to his mistake but I canβt remember how long it took nostr:nprofile1qqsgajr2e8ssj7vesefqdrhxkqpz8w8ryed2hvl79rakkwmw999de9spzamhxue69uhhyetvv9ujumn0wd68ytnzv9hxgtcpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsx8tnnv nostr:nprofile1qqsq6jfk99pzmkyn4u3v6nrpz75wxjr522ud90rn0jh2gjepgxvca5gprpmhxue69uhhyetvv9ujuumwdae8gtnnda3kjctvqyd8wumn8ghj7mn0wd68ytn0wfskuem9wp5kcmpwv3jhvnha6z0 what is that guys name with the porn stash ?