Jacob | Five Eye Tea on Nostr: Let's discuss a possible Nostr security flaw. If you use the web version of Nostr, ...
Let's discuss a possible Nostr security flaw.
If you use the web version of Nostr, the easiest way to actually log in is via an extension such as Flamingo. This is recommended in the Nostr documentation. These extensions allow you passkey-like access to your account on whatever web client you choose to use (typing this from Snort at the moment).
The problem is that the extension isn't locked by any sort of PIN or passcode.
Common security advice is to never use browsers' built-in password managers because of the fact that there are different types of browser attacks that can either steal your passwords or outright steal your login cookies to gain access to accounts without having to log in with a password.
Now, in fairness, I'm guessing Nostr isn't quite as vulnerable to a token stealer attack due to how it works, but a password theft could still reveal your nsec through these extensions due to the fact that they're not locked behind anything.
Ideally, I'd love to see more password managers offer support for Nostr, since it'd be a lot nicer to just have my keys in Proton Pass so I can log in as I'd log in anywhere else, but for now, using a Nostr extension is the only real way I can use Nostr on the web. Why haven't the developers of these extensions added PIN/password capabilities of some sort?
Just some thoughts I had. If I'm wrong, please do provide the reasoning as I'd like to have greater peace of mind on this.
#asknostr #securitychain #cybersec #cryptography
If you use the web version of Nostr, the easiest way to actually log in is via an extension such as Flamingo. This is recommended in the Nostr documentation. These extensions allow you passkey-like access to your account on whatever web client you choose to use (typing this from Snort at the moment).
The problem is that the extension isn't locked by any sort of PIN or passcode.
Common security advice is to never use browsers' built-in password managers because of the fact that there are different types of browser attacks that can either steal your passwords or outright steal your login cookies to gain access to accounts without having to log in with a password.
Now, in fairness, I'm guessing Nostr isn't quite as vulnerable to a token stealer attack due to how it works, but a password theft could still reveal your nsec through these extensions due to the fact that they're not locked behind anything.
Ideally, I'd love to see more password managers offer support for Nostr, since it'd be a lot nicer to just have my keys in Proton Pass so I can log in as I'd log in anywhere else, but for now, using a Nostr extension is the only real way I can use Nostr on the web. Why haven't the developers of these extensions added PIN/password capabilities of some sort?
Just some thoughts I had. If I'm wrong, please do provide the reasoning as I'd like to have greater peace of mind on this.
#asknostr #securitychain #cybersec #cryptography