The main issue I see is the low cost of the attack vs the reward, especially for wallets. It‘s basically impossible to detect an attack deployed via web server. E.g. a server could target specific IP addresses. In contrast it‘s easy to detect a malicious app update as it would have to be pushed to all client devices. A state level actor compromising devices is quite expensive to do at scale.
Unfortunately none of the mitigation strategies you listed address the core issue. This post does a good job of detailing why it‘s trivial to extract key material from a web app https://tonyarcieri.com/whats-wrong-with-webcrypto
I want to like PWAs. But what‘s the strategy to mitigate attack vectors like web server compromise and XSS? It seems like only a matter of time until honey pots are attractive enough, especially for lightning wallets. I‘m not sure the UX trade-offs of using browser extensions are workable as every signature/transaction would have to be confirmed within the context of the extension UI.
#[0] #[1] had to think of you two when I discovered this: https://twitter.com/tankredhase/status/1653928853495054337
Perfect forward secrecy for Nostr DMs would go a long way. With E2EE now in iCloud we could let iOS handle Damus backups. Relays would need to support cryptographic ratcheting though 🤔 #[0]
One downside of Nostr is you have to assume your DMs will all be public one day. Encryption is not forward secure and we learned with PGP what happens when users copy & paste key strings :/
By the time #[3] is done nomading there will be 100s of nostr relays setup worldwide.
#[4] when miniscript ships in ColdCard https://giphy.com/gifs/list-hottest-definitive-lhLIUcjcb6unS
💯 The nature of the ego is „more“. True wealth is being in control of your time and finding peace of mind.
Zapped. Willkommen auf Nostr👋
Nostr is my new favorite place on the internet. It’s like Bitcoin Twitter but with zaps instead of ads.
Testing Zaps 🙏🏼⚡️