> The private key is stored in the browser’s localStorage.
Woah.. when will those people learn? _Any_ browser storage is unreliable. Anything goes wrong with your web experience? Clear browser settings. Make new profile. Re-install browser. The browser's localStorage is not a replacement for filesystem. It cannot be backed up, it is super volatile, and it should _never_ be used for anything important. It's one of those "worst of both world" cases, where malware can access it with no problem, while legitimate backup programs are locked out.
(And yes, the post mentions "new device" flow, but how many people would (1) remember to export their private key and (2) won't lose it with their device? I bet in practice people will use the network until the first time localStorage is lost, and then they will get annoyed that their feeds are lost forever, and will likely leave the network for good)
Not in disagreement, but based on how casually the frontpage throws around terms like "X25519 keypair", it is obvious that mass adoption and ease of use aren't among the goals of this project. Looks more like an exploration of a concept - can a social network viably exist without any middlemen in between.
>> The private key is stored in the browser’s localStorage.
> Woah.. when will those people learn? _Any_ browser storage is unreliable. Anything goes wrong ...
Can't that be solved by a 1-liner button like "Export key in safe location" then URL.createObjectURL( localStorage.getItem("myTopSecretKey") ) and let the user save that on their filesystem?
from the very post you are replying to:
> but how many people would (1) remember to export their private key and (2) won't lose it with their device?
How does this help with either of those options? for example, I am on the phone, and imagine I've remembered to download the key... if my phone breaks, it'll be deleted. I also need to store it somewhere - google drive? password manager?
So yes, it could be solved but it would be more like "1-liner + few manual steps user must do", and there will be no guarantees that user will do those steps. So maybe people who are really invested into the new network or maybe crypt-owners who are used to manager their private key will do it, but most people will just loose their friend lists once they get a new phone or clear storage.
(1) prompt on setup after ~5min of usage to discard 90% of testers
(2) email it yourself, in fact instead of downloading the key it could also be a basic mailto: link
If users can't be bothered they don't really care about the data stored there.
> It's one of those "worst of both world" cases
It's also one of those cases where "perfect is the enemy of good enough", and also very easy to solve, offer a download/upload button that offers you to save the key, or upload a arbitrary one. Now every issue you mention disappears, and it's maybe ~50 lines of code...
And yes, loosing keys can mean you lose access. People who used 2FA are well aware of this problem, and yes it requires diligence. Also people who maintain their own cryptocurrency wallets seems to be able to handle this too, so not like it's completely impossible, just infeasible for the average Joe.
Well-known 2FA-using services (Google, Paypal, Github) etc.. offer some way to recover your account, so losing your 2FA device does not mean you lose all access.
Pretty sure that the only people who use un-recoverable private keys are crypto-wallet users, and even they regularly lose access, despite having strong monetary incentive to keep backups.
Now of course it's all open source, and authors can implement whatever they want, including things like: "It's your own fault that you did not do that backup procedure correctly, the button was _right there_. Serves you right that you have lost your account, maybe you did not deserve it in the first place." But that may be no the best approach if you want to create something that people actually use...