reply on: Is Sharing Private Key with Websites a Necessary Part of Using Nostr? \ stacker news ~nostr

pull down to refresh

33 sats \ 4 replies \ @yfaming 31 Jul \ on: Is Sharing Private Key with Websites a Necessary Part of Using Nostr? nostr

I feel the same way. Ideally, there should be a key manager, like a password manager, so apps don’t ever touch — let alone store — our nsec. That way, even if an app has security issues, our nsec stays safe.

Personally, I always keep my nsec in the getAlby extension on the browser. Apps (like Primal) just sign through getAlby and never access the nsec directly.

5 sats \ 3 replies \ @spiderman OP 31 Jul

So you mean I have to trust Alby with the nsec, then it can sign messages for other apps like Iris without exposing the nsec to Iris (example)?

Then two questions

Is Alby trustworthy enough?
Do other apps following the Nostr protocol always accept signature from Alby without requiring my private key?

21 sats \ 2 replies \ @k00b 31 Jul

Alby is trustworthy; at least, I trust Alby. Their code is all open source and they've been in bitcoin, and heavily involved in nostr, for a long time now.

The extension won't sign stuff without you giving permission and it will not reveal it to apps.

0 sats \ 1 reply \ @spiderman OP 1 Aug

Thanks, does it mean every app using the Nostr protocol can accept signature from Alby (as opposed to storing my nsec)?

0 sats \ 0 replies \ @k00b 1 Aug

Yes. Nostr signatures are standardized. They're a particular type of cryptographic signature that every nostr app will recognize and accept as yours no matter which app signed your notes.