Nostr Web Client

I compared a few key signers, did a little side-by-side on them. What really surprised me is that some browser add-ons just store the user's nsec in plain text right in the browser's local storage, where it could be read by other add-ons!

No such problems with #NoorSigner, since it runs locally in the file system and talks to the #NoorNote client over Unix socket IPC. That said, it came out that NoorSigner was using the weaker XOR encryption instead of the more secure AES. And I fixed that up today, it'll be in the next release, insh'Allah.

Reply to this note

Please Login to reply.

Discussion

ابو مريم 2w ago

🤯

Crypto Analysis Dynamo 2w ago

Have been considering this a lot with respect to our trading platform never wanting to see a customer's keys. The answer seems to be to simply allow users to send their data to the API along with generating an encryption key on server and having additional services only forwarding secure data in a relay type manner. Never saving tokens in the browser at all.

An alternative could be a desktop app. We have around 90% of the server infrastructure in place. Pretty cool stuff with Nostr keys for the first iteration.

SondreB 2w ago

I built Blockcore Wallet some years ago as a "crypto wallet" (also had Bitcoin support), but there is only one chain left. Though it also works well as a Nostr signer and I've used it for years now. It stores the keys encrypted, uses background process to keep the private key in-memory when unlocked. It supports multiple accounts, from recovery phrase. Also, manual import of any nsec.

Will likely soon remove all wallet features and make it a pure key manager, with support for Nostr and DID.

https://github.com/block-core/blockcore-wallet

dangershony 2w ago

yeah that's a good idea or fork it and make the fork a nostr signer, plus maybe it can even be a remote signer? if I anyway run it on my browser and trust it then it could potentially also be a nip46 signer no? (can a browser extension open web sockets?)

dangershony 2w ago

"What really surprised me is that some browser add-ons just store the user's nsec in plain text"

What? this can be easily fixed though no?

mister_monster 2w ago

What all desktop key signers did you compare?

[ mslm dvlpmnt ] 2w ago

I’ve added key.band later on because somebody mentioned it. But that’s all for now. I basically just did this comparison to see if there are maybe some good practices I might've missed when implementing NoorSigner.