Thanks for this! I think it's important to add that:
  • The web-based clients are compromised, because of the browser security flaw. It's important not to put your private key directly into the browser. Instead use an extension called Alby to sign – the nostr private key can be generated and stored more securely in the Alby settings.
  • It's good to understand how the relays work: https://usenostr.org/#relays
Using alby helps but is still extremely bad on web clients like anigma and nostr.com. For example, even if you use alby to hide your private keys, attackers can still (1) decrypt and siphon the contents of all your dms (2) steal any money you have on the anigma wallet (3) impersonate you.
This is all because alby auto-signs messages on your behalf. Attackers who want your private data -- even if you use alby -- can use the cross-site scripting vulnerability of anigma and nostr.com to create messages containing all your private data (except your private key itself), ask Alby to sign it, wait for the auto-signature Alby gives, and then send those messages to themselves, thus stealing all of your private data except your private key.
So still don't use anigma without awareness that it's just a toy example, a proof of concept. People see everything you type into it and they can take any money you have on it. When I wrote it I did not know how cross-site scripting vulnerabilities worked. Eventually I hope to rewrite it with vulnerability avoidance top of mind.
reply
This is one detailed explanation! All the best in building!
reply
Thanks for imparting your knowledge, mate
reply