pull down to refresh

Apologies for the noob question, or if this is not the correct forum for this question, but still could not help it.
So, I just signed up on nostr, got an npub and an nsec, and backed them up very safely. The question is, how do I use them?
It seems websites like Alby or Iris always ask for my private key here, which seems the opposite of the spirit of private? Am I understanding something wrong here? Do people indeed give websites their private key? And if so, how is it better than the traditional web? Rather, it seems the private key is my one password for the entire internet, which is, rather, a very vulnerable attack surface (as opposed to different passwords for my gmail, my Facebook, my LinkedIn etc.)?
Now, it is my bread and butter (as part of my day job) to manage dozens of cloud Linux instances by SSH logins (which means depending on ed25519 keys)? Are we talking about the same concept here? But in my cloud/DevOps world, if a server asked for my private key, I would likely run for the hills, and make sure to delete it.
What's missing?
311 sats \ 1 reply \ @aljaz 31 Jul
to the contrary,you just need to sign events which is generally accomplished with browser extensions (alby, nos2x) or remote signers (amber, nsecbunker).
sharing nsec with any app/service is an antipattern that we can't seem to get fully rid of (its the easiest to create in terms of onboarding but very risky). mobile apps tend to be a bit harder and you generally need to give them your nsec tho at least on mobile its a bit easier to ensure the security of that key compared to the web
go to nostr.net and you can see the offerings of browser extensions (on the right nip-08 browser extensions category)
reply
If you can use Amber (or another decoupled app), use that. Browser extensions have access to all content of a tab (given you've secured it) when enabled, and thus are the perfect entry point for malware.
reply
Key management is awful on nostr point blank. They need better tools to protect your private key.
reply
55 sats \ 0 replies \ @OT 31 Jul
I played around with nsec bunker but didn't seem to work. Now I just use a new profile for each app. It's not such a big deal unless you're a popular influencer and have an account that gets zapped every day.
reply
I feel the same way. Ideally, there should be a key manager, like a password manager, so apps don’t ever touch — let alone store — our nsec. That way, even if an app has security issues, our nsec stays safe.
Personally, I always keep my nsec in the getAlby extension on the browser. Apps (like Primal) just sign through getAlby and never access the nsec directly.
reply
So you mean I have to trust Alby with the nsec, then it can sign messages for other apps like Iris without exposing the nsec to Iris (example)?
Then two questions
  • Is Alby trustworthy enough?
  • Do other apps following the Nostr protocol always accept signature from Alby without requiring my private key?
reply
21 sats \ 2 replies \ @k00b 23h
Alby is trustworthy; at least, I trust Alby. Their code is all open source and they've been in bitcoin, and heavily involved in nostr, for a long time now.
The extension won't sign stuff without you giving permission and it will not reveal it to apps.
reply
Thanks, does it mean every app using the Nostr protocol can accept signature from Alby (as opposed to storing my nsec)?
reply
0 sats \ 0 replies \ @k00b 11h
Yes. Nostr signatures are standardized. They're a particular type of cryptographic signature that every nostr app will recognize and accept as yours no matter which app signed your notes.
reply
0 sats \ 0 replies \ @Car 22h
We’ve had this discussion before on SN see the great @janetyellen Nostr debate of ‘2023 #131593
reply
This is really strange; it's as if they're asking for your seed on a public website, and that's exactly what happens. I don't think you're wrong, especially since the bunker options we have are somewhat custodial, in my opinion.
reply
I have very similar feelings about it and do not understand the nostr mania in the bitcoin community that otherwise prefers strong security and trustlessness.
Having your public identity bound to a private key that cannot be changed when leaked (or worse when stolen) is so stupid...
reply
0 sats \ 0 replies \ @nolem 22h
Yeah I agree, you don't use the same wallet address everytime, you use a fresh key if you like each time, but the overall amount is under the umbrella of whatever your set-up is.
Nostr is using the, this is the only key used by jack, jill or whoever and that is the verification of the said account.
Like has been said, losing the nsec, or entrusting it to a bunker service is not ideal.
But I guess there needs to be privacy and truth at the same time which is obviously tricky to balance.
To the OP, I'm just starting with Pubky, I got an invite code from JC, and it's all new, just working things out.
reply