Oddbean new post about | logout
Ava | 4 months ago (raw) | root | parent | reply | flag +7 
 💯 Been saying this since I joined Nostr.

nostr:nevent1qqszzfcz45pzkjyc2u6qj80h2ngfvpue0c4tanjnqqagsvethen4mrqpz9mhxue69uhkummnw3ezuamfdejj7q3qxtscya34g58tk0z605fvr788k263gsu6cy9x0mhnm87echrgufzsxpqqqqqqz76q8lr
Dr. Hax | 4 months ago (raw) | root | parent | reply | flag +1 
 I partially agree. My Trezor supports FIDO2, and I'm not worried about that key leaking. It never leaves the device, unlike passwords. I consider this superior to any password manager, and that's saying something coming from me!

I agree that giving your nsec to a website is sketchy. Maybe it's stored in LocalStorage and never leaves your browser, but it's hard to know and even if that's true, it still turns an XSS vulnerability into "my private key has been leaked".

So, the way people are implementing things now… yeah, no. But I think there is potential for cryptographically secure authentication, possibly by just signing each request and not even having a session token.
Ava | 4 months ago (raw) | root | parent | reply | flag 
 nostr:nevent1qqszwn7n0vpkc2hyex3e7vyvv2c33umf8swzqr9g7jfk3yqg2a5jx0cprfmhxue69uhhq7tjv9kkjepwve5kzar2v9nzucm0d5hsygzwhzp3p445ak2ud4n289dn6084txu9ltkg7a53mt75qk5jup2ad5psgqqqqqqs6gcy0e
Ava | 4 months ago (raw) | root | parent | reply | flag 
 nostr:nevent1qqszwn7n0vpkc2hyex3e7vyvv2c33umf8swzqr9g7jfk3yqg2a5jx0cprfmhxue69uhhq7tjv9kkjepwve5kzar2v9nzucm0d5hsygzwhzp3p445ak2ud4n289dn6084txu9ltkg7a53mt75qk5jup2ad5psgqqqqqqs6gcy0e
Ava | 4 months ago (raw) | root | parent | reply | flag 
 nostr:nevent1qqszwn7n0vpkc2hyex3e7vyvv2c33umf8swzqr9g7jfk3yqg2a5jx0cprfmhxue69uhhq7tjv9kkjepwve5kzar2v9nzucm0d5hsygzwhzp3p445ak2ud4n289dn6084txu9ltkg7a53mt75qk5jup2ad5psgqqqqqqs6gcy0e