jb55 on Nostr: after working on Damoose (safari extension), it seems nostore is pretty insecure ...
after working on Damoose (safari extension), it seems nostore is pretty insecure because it exposes your private key to the javascript environment.
Since we store your key in the iOS keystore, we can just access this from the plugin background process instead of the browser's javascript runtime environment.
We can sandbox the plugin process to disable outgoing networking connection, so it can only send messages to and from the browser, so it should be way more secure than what nostore was doing.
Published at
2024-08-06 18:30:29Event JSON
{
"id": "5d2e87fc049f8ad960a0e6b88252e0781cd426d023fe2e8934e61c240350d30b",
"pubkey": "32e1827635450ebb3c5a7d12c1f8e7b2b514439ac10a67eef3d9fd9c5c68e245",
"created_at": 1722969029,
"kind": 1,
"tags": [],
"content": "after working on Damoose (safari extension), it seems nostore is pretty insecure because it exposes your private key to the javascript environment.\n\nSince we store your key in the iOS keystore, we can just access this from the plugin background process instead of the browser's javascript runtime environment.\n\nWe can sandbox the plugin process to disable outgoing networking connection, so it can only send messages to and from the browser, so it should be way more secure than what nostore was doing.\n\nhttps://cdn.jb55.com/s/93bf3c58285fb23a.png",
"sig": "3223cd259e9057607f78c82a419221959175c87206e543577cf8446e023bf074cc1d132b6b1a129ee0970815f0749b795e972a2cff8636411b1d40c731909c83"
}
