so this way, only the extension has your key… the sites requests a unique signature for each event, and the extension generates that sig from your key, and just passes that single use signature to the site. The site never knows your nsec. You don’t have to trust all the new sites that pop up. I even have zap buttons on my personal website that one can sign with an extension.
Discussion
Thank you for responding. I’m still skeptical this would be a better security posture.
Attack Surface:
By installing a browser extension (or any software) you increase the attack surface on that device. The less you install, the fewer bugs you might have for attackers to exploit.
Third Party:
Why share your key with a third party extension instead of sharing it directly and only with the site you want to use. Like a bitcoin private key, I would not share it with a third party and instead only input it directly into the wallet I intend to have it.
I understand that an extension may offer features or convenience, but am skeptical that it is a more secure solution.
Yes exactly by giving 30 pwa’s your nsec you are increasing your attack surface far more than a single browser extension.