[Redacted]'s avatar
[Redacted] matt@gitcitadel.com 1 year ago
I'm not interested in feelings or theory. I'm interested in reality and security. Having a culture that encourages giving a private key to whatever asks for it is awful security and will have terrible consequences if Nostr catches on and gets used more broadly. My issue isn't with the ability to connect different apps, but with the current model of just giving a private key to apps. I don't take any of it seriously right now and won't until there is a more secure model by default. The encouraged model should be to keep private keys offline if one's entire identity is to be connected to a single key. That's not what I see currently, but work is being done.
↑ Parent

Replies (2)

rabble's avatar
rabble rabble@nos.social 1 year ago
So are you working to do any of this? Or just telling us how to do it? I hear lots of security experts who love to tell me how to do things but most don’t either talk to actual users or build systems for other people to use. It’s like all the security experts getting pissed at Signal for using phone numbers but nobody built a version that really worked without phone numbers even though it’s open source and they kept saying it’s really important. Or how security folks tell users to not reuse passwords but it was a couple decades before people admitted that was an insane impossibility and switched to passkeys that come with managed software. We created oauth to solve this same basic problem. Keep users from putting user names and passwords in random apps. The effect of platforms switching to using oauth meant that all power got concentrated in centralized platforms. I’m sick of security researchers who tell us how software should work. Think we’re doing it wrong, build a better solution.
2 replies ↓