Nostr gives users more ownership, but ownership increases responsibility. A private key is powerful. Public events are public. Relays reveal patterns. Encryption helps in specific contexts but does not erase metadata.
The main private-key risk
If a user pastes a private key into a malicious or compromised website, the attacker can sign as that user. This is the central education problem for Nostr onboarding. Signers and remote signers exist because private keys should not travel everywhere.
- Never share nsec. The private key should not appear in public chats, screenshots or web forms.
- Use signers. NIP-07 and NIP-46 are safer than casual key-paste workflows.
- Back up before reputation. A user should not build social or commercial identity on an unbacked secret.
Public means public
Many Nostr events are public by design. Deleting from one relay does not guarantee deletion from all copies, archives or screenshots. Users need to know which actions are public, which are encrypted and which leak metadata.
Encryption is not invisibility
Encrypted payloads can protect message content. They do not automatically hide timing, counterparties, relay choice, app behavior or device patterns. Serious products should distinguish content privacy from metadata privacy.
Crays security posture
Crays should present safe defaults: signer-first onboarding, clear consent, limited scopes, no dark patterns, understandable wallet permissions, visible official identities and careful handling of venue/member context.