Nostr Web Client

nostr:npub12rv5lskctqxxs2c8rf2zlzc7xx3qpvzs3w4etgemauy9thegr43sf485vg what do you think about the risks of signing arbitrary data? Maybe for this operation the user should always be prompted to confirm? We were talking about this a few weeks ago with nostr:npub1ye5ptcxfyyxl5vjvdjar2ua3f0hynkjzpx552mu5snj3qmx5pzjscpknpr

calle 1y ago

I see the risk in this and I think it also applies to other NIP07 applications that can get signatures on notes from the extensions (they could publish fake notes signed by you).

There seems to be no other way than to show the user what they are signing. I wish nostr:npub1getal6ykt05fsz5nqu4uld09nfj3y3qxmv8crys4aeut53unfvlqr80nfm had a dedicated way of showing details of the ecash that is being signed. Maybe one day?

Definitely needs trust in the application that is requesting these signatures. What's true for signing messages is also true for signing transactions.

Reply to this note

Please Login to reply.

Discussion

sebas 1y ago

Yeah, having a clear UI for the user seems necessary. Anyways, this is great.