That isn't the only difference. Having my Proton password compromised doesn't also compromise my bank accounts, social media, etc. That's essentially what would happen if one app mishandled your Nostr key. You'd have your entire stack lost all at once. The whole selling point has been one key for all these different things and that is a broken model from a security perspective.
As I said, people can use different keys for every service, but that doesn't solve the root problem. You've simply limited the reking to one service, just like the password model we have now. Except there are no recovery options.
We need a way to give our private keys to no one. Just like Bitcoin. I shouldn't have to give every wallet my private key to transact, nor should I on Nostr.
We're talking about different things.
If you share a password/nsec, multiple services can be comprimised at once.
If you type a password/nsec into a shady app (proton, a proton companion or clone, or anything else), it'll be compromised.
Both points are true. People shouldn't do either.
People are already better (but still bad) at not reusing passwords. Painting an equivalence between passwords and nsecs helps folks grok the problems with nsec reuse.
Painting a distimction between them creates some very difficult differences in our expectations.
"Identity" on the other hand is distinct, and we do need a way for multiple nsecs to sign for one identity, the same way we have ways to allow multiple passwords to authenticate the same human.
It is NOT the same thing. Even using the same password across websites is not the same as using the same nsec. You can go and change your passwords if one gets compromised and even recover from a compromised password in most cases. You can do that with an nsec. The two things are not equivalent, even if the same bad practices are used for both cases. If I show you my nsec I can't just go change it. Everything is gone forever. That is a lot more catastrophic than even using the same login for every website. For one, an attacker would need to know every place I have an account and go there separately and do something bad. An attacker with my nsec would instantly have access to anything I have on Nostr forever and there's fuck all I can ever do about it. Those two things are clearly different. The idea that we should be throwing everything onto Nostr right now is bananas, and that's the only point I'm making here.
*can't do that with an nsec
All fair points, but still, you're only looking at the cases where users type nsecs into untrusted apps, which is IMO orthogonal to whether a legacy solution can or should try to be built out on nostr.
We should teach *users* why nsec security is important, not chill *devs* trying to build out the ecosystem. I use amethyst; never gave it any of my nsecs. Why not nostr login on proton too?
I think the fundamental issue I have is that an app needs to be trusted. I'm not just focusing on typing the nsec into untrusted apps. Even trusted apps can be dangerous, even if by accident. My only issue here is with saying that X company/service should use Nostr instead. Sorry if I haven't conveyed that well. The Nostr general model IS better, just not from a security perspective yet. Nostr should be treated as alpha testing right now until we have at least Bitcoin like security options. We don't (at least from my research), so I disagree that legacy solutions should instead build on Nostr. That's all I'm saying here. People are treating it like it's ready for every service to build on and it isn't. Many more people will get rekt than on the current legacy model, in my opinion.
Also, you gave something your nsec if you're using Amethyst to sign notes. My opinion is that I should have the option to give NOTHING my nsec ever. I don't see how that's possible right now and would discourage building critical services on Nostr until we fix that. I don't think Proton should allow it for security reasons. That's my whole point.
Something needs an nsec at some point unless you're doing your cryptography with pen and paper! I use Amber as a signer (on GrapheneOS with network permissions disabled for that app)
I hear ya though, you're definitely not wrong about nsec security! And I was bit off about PW/nsec equivalemce 🙄
Just thought as an amethyst/amber user, it was an odd reaction to nostr:nprofile1qqsyvrp9u6p0mfur9dfdru3d853tx9mdjuhkphxuxgfwmryja7zsvhqpzamhxue69uhhv6t5daezumn0wd68yvfwvdhk6tcpz9mhxue69uhkummnw3ezuamfdejj7qgwwaehxw309ahx7uewd3hkctcscpyug s suggestion, because I'd love to conceivably install & open proton, click a button, sign an event in amber (or whatever), and get logged into my (maybe just newly created) proton account. 🎉
The current security model should be entirely changed before we encourage more people to use more things on Nostr. Otherwise, almost everyone is just going to copypasta the same nsec into everything that asks for it and get rekt at some point. We need a new default.
Oddbean new post about login | logout