[ mslm dvlpmnt ]'s avatar
[ mslm dvlpmnt ] 1 month ago
I compared a few key signers, did a little side-by-side on them. What really surprised me is that some browser add-ons just store the user's nsec in plain text right in the browser's local storage, where it could be read by other add-ons! No such problems with #NoorSigner, since it runs locally in the file system and talks to the #NoorNote client over Unix socket IPC. That said, it came out that NoorSigner was using the weaker XOR encryption instead of the more secure AES. And I fixed that up today, it'll be in the next release, insh'Allah. image

Replies (7)

SondreB's avatar
SondreB sondreb@nostria.app 1 month ago
I built Blockcore Wallet some years ago as a "crypto wallet" (also had Bitcoin support), but there is only one chain left. Though it also works well as a Nostr signer and I've used it for years now. It stores the keys encrypted, uses background process to keep the private key in-memory when unlocked. It supports multiple accounts, from recovery phrase. Also, manual import of any nsec. Will likely soon remove all wallet features and make it a pure key manager, with support for Nostr and DID.
GitHub
GitHub - block-core/blockcore-wallet: Web5 Wallet for your coins, tokens, identities, NFTs and more.
Web5 Wallet for your coins, tokens, identities, NFTs and more. - block-core/blockcore-wallet
1 replies ↓
dangershony's avatar
dangershony 1 month ago
yeah that's a good idea or fork it and make the fork a nostr signer, plus maybe it can even be a remote signer? if I anyway run it on my browser and trust it then it could potentially also be a nip46 signer no? (can a browser extension open web sockets?)
dangershony's avatar
dangershony 1 month ago
"What really surprised me is that some browser add-ons just store the user's nsec in plain text" What? this can be easily fixed though no?
[ mslm dvlpmnt ]'s avatar
[ mslm dvlpmnt ] 1 month ago
I’ve added key.band later on because somebody mentioned it. But that’s all for now. I basically just did this comparison to see if there are maybe some good practices I might've missed when implementing NoorSigner. image