YeOldeHodler [OLD ACCOUNT SEE PROFILE FOR NEW NPUB] on Nostr: In light of recent events with web clients some of y'all have expressed concerns ...
In light of recent events with web clients some of y'all have expressed concerns about using
Bija (npub19pl…y5l0) because it's UI runs in a browser, so I'm making a few changes.
I will be looking at integrating alby but that will likely not be until January sometime. What I am doing for now is set it up so that you don't ever need to expose your private key in the browser, you can do your account setup at the command line.
One thing I want to clarify is that although Bija's UI runs in a browser it is never directly exposed to data received from relays, everything is sanitised on the back end before being sent to the UI. The only external sources loaded in the browser are images and other media linked in posts. I wouldn't be so bold as to claim there's no vulnerabilities, that remains to be seen, but there's certainly none I'm aware of and sanitising data before it's received by the browser definitely mitigates a lot of risk.
In the current release private keys are exposed to the UI in 2 ways (which will change asap)
1) When you first create or add your keys.
2) Within the settings page there's an option to view your keys.
Again, with the upcoming changes you will be able to create/add keys at the command line so you'll never need to do the former. WRT to the latter, if you add a login password (you'll also be able to do this at the command line) the only way to view keys in the browser would be to enter your password.
* Having a login password also means that your private key is stored encrypted.
I hope this resolves some of your concerns. Without reviewing the code yourself you obviously still need to trust Bija, but again, I will look in to Alby integration so that then at least you have the choice between either trusting alby or trusting bija with the keys.
Peace 🙏
Published at
2022-12-20 12:29:52Event JSON
{
"id": "9e547733293730fd5b9ed18de6183283b0bd2b7e646700b55ef1ce529729417a",
"pubkey": "de8ef91036c0d79596b65fef304cd759d4aabbd8c653b29077c0dccb32e4e9ef",
"created_at": 1671539392,
"kind": 1,
"tags": [
[
"p",
"287f1c9eb5c3faa88f9920626da4b0492c91d6ee5e2da71b3e9e0702e790c154"
],
[
"client",
"BIJA"
]
],
"content": "In light of recent events with web clients some of y'all have expressed concerns about using #[0] because it's UI runs in a browser, so I'm making a few changes.\n\nI will be looking at integrating alby but that will likely not be until January sometime. What I am doing for now is set it up so that you don't ever need to expose your private key in the browser, you can do your account setup at the command line.\n\nOne thing I want to clarify is that although Bija's UI runs in a browser it is never directly exposed to data received from relays, everything is sanitised on the back end before being sent to the UI. The only external sources loaded in the browser are images and other media linked in posts. I wouldn't be so bold as to claim there's no vulnerabilities, that remains to be seen, but there's certainly none I'm aware of and sanitising data before it's received by the browser definitely mitigates a lot of risk.\n\nIn the current release private keys are exposed to the UI in 2 ways (which will change asap)\n1) When you first create or add your keys.\n2) Within the settings page there's an option to view your keys.\n\nAgain, with the upcoming changes you will be able to create/add keys at the command line so you'll never need to do the former. WRT to the latter, if you add a login password (you'll also be able to do this at the command line) the only way to view keys in the browser would be to enter your password. \n\n* Having a login password also means that your private key is stored encrypted.\n\nI hope this resolves some of your concerns. Without reviewing the code yourself you obviously still need to trust Bija, but again, I will look in to Alby integration so that then at least you have the choice between either trusting alby or trusting bija with the keys.\n\nPeace 🙏",
"sig": "4bc03c96fb11e57e84d34545ea298e514c2185408d7e60c35630ad92ea5308036ee40f4b48e388f1288c9f39da40dc797343f4cdd030324714467213aeab9798"
}