Entering a private key into a web app is much less secure than a signer app or extension. However, a signer app still can have its issues, just less.
A few of the issues:
- Phishing attempts from similar looking domains.
- Hot loading code from a remote server, not signed releases from the maintainer.
- Encourages entering nsec somewhat carelessly into more than one web app. It could be entered into a clipboard, which as been another vector of attack.
- Users habits of this type of behavior from passwords on every other web app. Passwords can be reset via email resets, a private key can not be reset. It can thus not communicate the importance of it not leaking, and thus careless backups and storage.
None of that is good for non-technical users.
Braydon Fuller
npub1r0…7zzyc
2024-10-25 17:26:40
in reply to nevent1q…ekes
Author Public Key
npub1r0ulywwu593kzjdu9uluxdq80t54n65kql9vl9z7lrutkgnachssk7zzycPublished at
2024-10-25 17:26:40Event JSON
{
"id": "58ce6d391bc8dbcfbf68a383baf72113e8310b41bd9ba147c8d21e0c76a21167",
"pubkey": "1bf9f239dca1636149bc2f3fc334077ae959ea9607cacf945ef8f8bb227dc5e1",
"created_at": 1729877200,
"kind": 1,
"tags": [
[
"e",
"3169146c22d4dd75ee8486afd6a163c95e63156729eb76ca93b0b8d2c4608ea7",
"",
"root"
],
[
"e",
"4620b2d475092834826ae4e79f0a668f5c2559bcdc20e91dfb89d60c7f947da9"
],
[
"e",
"a6ae66144724bfa69709301e71e5dd9715f290e73f8977d5436fc904f46bb65e",
"",
"reply"
],
[
"p",
"6867d899ce6b677b89052602cfe04a165f26bb6a1a6390355f497f9ee5cb0796"
],
[
"p",
"1bf9f239dca1636149bc2f3fc334077ae959ea9607cacf945ef8f8bb227dc5e1"
],
[
"p",
"97c70a44366a6535c145b333f973ea86dfdc2d7a99da618c40c64705ad98e322"
]
],
"content": "Entering a private key into a web app is much less secure than a signer app or extension. However, a signer app still can have its issues, just less.\n\nA few of the issues:\n- Phishing attempts from similar looking domains.\n- Hot loading code from a remote server, not signed releases from the maintainer.\n- Encourages entering nsec somewhat carelessly into more than one web app. It could be entered into a clipboard, which as been another vector of attack.\n- Users habits of this type of behavior from passwords on every other web app. Passwords can be reset via email resets, a private key can not be reset. It can thus not communicate the importance of it not leaking, and thus careless backups and storage.\n\nNone of that is good for non-technical users.",
"sig": "7ba177043edb06b46307c0c8e16a3e7348e5e82991ee469132c9d9233a1a2768fb8e74d1c2e7ababe0a2562ad913dc4cb0c7b3401523367c02ca897bbfb70be1"
}