Thread

😂😂😂😂😂 Looking forward to listening to your meat-AI hallucinations 😂

This mode doesn't require any extension and it's architected to work on mobile without any wizardry. The goal of this is to be a workflow that anyone who has been using the internet in the past year can feel very familiar with without learning a bunch of new things, specially when the payoff is not apparent.

Merci beaucoup Pablo de mon côté je peine à contribuer aux zaps nul n'a pas m'expliquer comment faire avec mon mobile et Getalby pour zapper j'ai noté que WSatodhi ne fonctionne plus sur les usa.. Lequel serait plus adéquat sur Android entre Zeus Bolt mutiny etc.. .. Il y en a tellement avec les publicités récurrentes de nostriches et clients en fonction d'1 objectif type sur une journée type que je m'y perds réellement et ne pense être la seule. Raison pour laquelle je ne veux point associer mes Bitcoins à mon compte nostr 🤨

With nsecBunker, the key is encrypted on the client side.

I think this has the potential to change the way we think about network security. The ride or die freaks think about security differently from organizations. We are all about Szabo's famous quote, "trusted third parties are security holes," and take extreme measures to ensure no one else has access to our keys. A hospital or any other business has a gazillion people working for them that all need passwords, 2fa, etc. These are often smart people, but they know about as much as cybersecurity as I know about brain surgery. The way places deal with this is host files in the cloud with a trusted third party who has the most liability they can find. All the hashes of the passwords are stored in a central location, making them an easy target. From what I understand, this does the opposite. The keys are encrypted on the client, not the server. An attacker needs pysical access to the computer for the key. This mitigates the risk of social engineering attacks. If there is a breach, the key can be revoked. This won't stop nprmies from writing their password on a post-it under the keyboard, but that's okay. Most of the people in the office have a password of their own. It's still a bad idea, maybe a jealous co-worker finds your password and searches porn sites, but it's less likely to end up on the news. That's what I think anyway. Please correct me if I'm wrong. I am sure there are some things I've missed too.

I think any client that sits at the top of the onboarding funnel it would make sense to run these things. I am planning on building a bunch of non-bitcoiner-focused apps that will leverage this. I think this would also make a lot of sense for something like @npub1zach...5dy5 's Flockstr to run (in fact, Zach came up with a username+password scheme as well but which the strings themselves compute to a key, so you would be essentially logging in to all clients directly with your nsec, which is why I think that approach is problematic, but same goal!)

Makes sense 👍 Is the the nsec bunker provider NIP-89 handler documented anywhere? Would love to play around with this.

Its quite simple really; It’s just a 31990 with a k-tag of the NIP-46 kind (24344 or something) and the 31990 profile data should have a _@domain as its NIP-05 that validly resolves to the pubkey that published the 31990. If you want to peak under the hood the fans site I showed in the video is already deployed so you can play around with what I used to make the demo video (although I’m not 100% certain that I deployed the most recent version)

No doubt this approach is the better way to go. From my experience onboarding people, they often love the idea of nostr but are left wondering what to do next. I think as @rabble suggests, we should rework the nostr.com site to be more of a normie onboarding tool than a dev-focused protocol explainer. Something that clearly outlines a bunch of example nostr usecases beyond traditional microblogging. If we could build in a great onboarding experience directly on nostr.com, that would be awesome.

It can't be an in-browser modal though; it's gotta run in it's own domain. That's why twitter/google/facebook/etc all use a real popup for OAuth flows 😅

Oh right, the same-origin policy stuff! But you should be able to use modals at least in the process of the account creation, the more critical one, or are there other security concerns? Or mybe an iframe with a CORS setting on the provider side could be a solution.

Yeah, the account creation part where you enter the email and username etc is in-page modal, but then the password stuff must happen on the popup so the client generating the account can’t see it. It could be done getting absolutely everything in the client but that increases the trust significantly with the client and you also want the nsecBunker domain to have a cookie to authorize new keys without having to login. I’d say that would only make sense if the client and nsecBunker provider are the same entity in that case that would be fine.

Got it. Thanks for the details!

🤝🤝🤝🤝 Thank you, sir. Your words carry a lot of weight for me, as you are probably well aware ❤️