Oddbean new post about | logout
β–² β–Ό
 @gel I would be very sad to see you go πŸ˜”. I guess Melvin already mentioned a possible long-term solution. 

Let's try to do some process of elimination and some house keeping. If you already know this then ignore me. πŸ«‚

1.) Have you figured out whether your nsec has been stolen? If yes, what made you believe so? Eg, have you seen any post that are not yours perhaps?

2.) a.) If not, perhaps it is impersonation. Therefore, we need to create a web of trust for you. Perhaps a secret word that only you and your connection would know. However, this would require you to have a different method of sharing this secure word or phrase exclusive to your trusted friends here. This maybe a tricky one but it is possible. 
b.) Use a keystore like nsec.app or amber for android clients (I forgot the name for iOs) to login to nostr clients. This keeps your key secure. Think of it like a second auth. When you login to nsec.app or any keystore, it will ask you to store your nsec there. You need to have a master key of that keystore so every time you login to any nostr client, you will use a random link to login and you have to approve the connection β€” which client you want to approve. It is important to renew cachr and avoid re-using permission cache. I'd suggest to refresh it when using the web. To keep it safe from cache session hijacking (have not tested this theory yet). This is to make sure you are only allowing the client you granted permission to access specific client. You can customise what each client can do and cannot do. 

3.) Use VPN and Password manager. On top of the keystore, it is best practice to always encrypt your traffic on transit (VPN). Password manager is putting all your keys and passwords, secret phrase encrypted online and offline. There are so many trusted vendor out there. I used Nordvpn for 7 years now. 

4.) Encrypt your mobile phone and laptop.


If you need to jump on hivetalk to help you with this, let me know! πŸ‘Œ

Keep us posted! ☺️ 
 To clarify, I have not tested or seen the cache jijacking theory using the keystore. #asknostr has someone tested this yet?  
β–² β–Ό
 Thank you so much Lady Mae! 🐝