Nostr Web Client

Not really. I've been saying for a long time we specifically need something like this with a javascript-free HTML frontend so it can be used as an Onion service. Not sure if that would be quite the most data-efficient, but should be a lot better than the normal clients that connect to tons of relays at once

Curiio 3mo ago 💬 2

I really like this idea! My only concern is that it the Nostr private key would need to be send to the server because there's no JavaScript to sign events client side. This is quite a serious security concern.

A practical workaround of course would be to have a public instance of Nostr (like Iris.to) available via TOR without JavaScript and then an authenticated instance would require you to whitelist JavaScript for the site so it can sign events client side.

In regards to performance performance and user-experience I would assume it would be similar to Dread; a very popular alternative to Reddit that runs over TOR.

The only possible solution I can see without JavaScript running on the site is to have the server send the unsigned event in JSON to the browser for you copy and then you'd have to use an external piece of software such as browser extension or desktop app to sign the event which you can submit to the server. Of course if you're utilizing a plugin you could streamline this much better.

The latter is light-years away from ideal though and wouldn't be widely adopted. If we want these technologies to be used then we need to reduce the barrier to entry.

Of course these are my initial thoughts but if you have any solutions or criticisms then please let me know :)

Reply to this note

Please Login to reply.

Discussion

🇵🇸 whoever loves Digit 3mo ago

You nailed it with having the server send the unsigned event and letting the user copy it to a desktop app, imo.

A much easier barebones solution would just be to use ephemerals. 1 post per key

A possible futuristic solution would be having robust key rotation / key backup system on nostr, and a lot of different apps like these, so it's expected that keys get compromised sometimes, but then the network just purges the compromised keys and falls back on your remaining keys

🇵🇸 whoever loves Digit 3mo ago 💬 1

I also don't see a huge problem with some people using the normie login option where private key stuff is handled in the cloud tbh. Especially if copying unsigned events to a separate app is an option for the more hardcore users

Curiio 3mo ago

Personally sending private keys to server just feels inherently wrong. Anyone controlling the server could sign on your behalf FOREVER and there's no way of changing or rotating private keys with Nostr.

Of course there's nothing stopping any client such as Iris.to deploying some malicious JavaScript (unintentionally even) that steals everyone's private keys - therefore servers and upstream code do need to be monitored regardless. That said, we would know if Iris.to or another client was doing such things because we can see the client-side code; although it would likely be too late by then.

Nevertheless if you send your private-key to the server then you have no way of knowing what they'll do with it, how they handle that piece of data, if their servers are compromised etc.

I suppose this is one of the fragile things about Nostr's security model. A supply chain attack would hit really hard!!

#security #cybersecurity #nostr #asknostr