Nostr Web Client

I want to like PWAs. But what‘s the strategy to mitigate attack vectors like web server compromise and XSS? It seems like only a matter of time until honey pots are attractive enough, especially for lightning wallets. I‘m not sure the UX trade-offs of using browser extensions are workable as every signature/transaction would have to be confirmed within the context of the extension UI.

freed0m 2y ago

the answer is simply, never to put keys into web apps. Use external signers (not extensions).

Native apps (amethyst/damus) could provide this facility, or the upcoming signing server from nostr:npub1l2vyh47mk2p0qlsku7hg0vn29faehy9hy34ygaclpn66ukqp3afqutajft

Reply to this note

Please Login to reply.

Discussion

tank 2y ago

Is there a write up of how the signing server works?

freed0m 2y ago

there's this, although I personally got stuck after the docker command

https://habla.news/a/naddr1qq9xuum9vd382mntv4eqzxthwden5te0wfjkccte9ehx7um5wf5kx6pwd3skueqpr9mhxue69uhhqatjv9mxjerp9ehx7um5wghxcctwvsq32amnwvaz7tmwdaehgu3wd9hx7um5vyhxxccpz4mhxue69uhkummnw3ezumtfd3hh2tnvdakqz9nhwden5te0wfjkccte9ehx7um5wghxyctwvsq3qamnwvaz7tmwdaehgu3wwa5kuegpvemhxue69uhkv6tvw3jhytnwdaehgu3wwa5kuef0dec82c33xpshw7ntde4xwdtjx4kxz6nwwg6nxdpn8phxgcmedfukcem3wdexuun5wy6kwunnxsun2a35xfckxdnpwaek5dp409enw0mzwfhkzerrv9ehg0t5wf6k2qgkwaehxw309a3xjarrda5kuetj9eek7cmfv9kqzxnhwden5te0wfjkccte9ehhyctwvajhq6tvdshxgetkqyd8wumn8ghj7un9d3shjtnwdaehgunsd3jkyuewvdhk6qguwaehxw309a6ku6tkv4e8xefwdehhxarjd93kstnvv9hxgqguwaehxw309ahx7um5wghx6at5d9h8jampd3kx2apwvdhk6qg4waehxw309ajkgetw9ehx7um5wghxcctwvsq3samnwvaz7tmjv4kxz7fwdehhxarjv96xjtnrdaksygrlts45uj9qa8lv5caydvfumwpy386qyquc6c9zqu9fdr92sxxht5psgqqqw4rs4a77p5?ref=nobsbitcoin.com

freed0m 2y ago

there's also NIP 46

https://github.com/nostr-protocol/nips/blob/master/46.