RE: Steem Tools Development - Centralized Steemit.com vs. Decentralized App Center (Security Concerns)

You are viewing a single comment's thread from:

Steem Tools Development - Centralized Steemit.com vs. Decentralized App Center (Security Concerns)

in security •  8 years ago 

That's a good question. The hierarchical threshold multisig permission model used by Steem (and BitShares) is much more flexible and powerful than Bitcoin-style multisig (for example @xeroc mentions in a comment here that a member of a multisig authority is free to change their own keys at any time).

The problem is that our current permission types -- posting, active, and owner -- are too coarse-grained for third-party integrations. Finer-grained permissions seem like they might have some value, for example I can think of a few services off the top of my head:

  • A vote management service like streemian.com can vote on your behalf, but not post.
  • A post management service (which might e.g. mirror blog posts from your Wordpress site to your Steem account) can post on your behalf, but not vote.
  • A trading console service (3rd party market UI) can place and cancel market orders on your behalf, but not transfer funds.
  • A liquidity management service can manage vesting deposits / withdrawals and requests to move funds to/from savings to maintain certain level of liquid funds in your account, but cannot place market orders or transfer the funds to another account's control.

The management of third-party permissions from the UI perspective could probably be improved.

From a blockchain backend perspective, the blockchain isn't really designed with flexible permissions in mind. The internal blockchain API's, objects and the public protocol fields don't scale to M different possible permission types which may be delegated to N different third-party service providers.

It's going to take some design work to get this right.

security
8 years ago by

Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

  • Disagreement on rewards
  • Fraud or plagiarism
  • Hate speech or trolling
  • Miscategorized content or spam

Submit
$9.84
  • Past Payouts $9.84
  • - Author $7.61
  • - Curators $2.23
4 votes
1
Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  
  • Trending
    • [-]
      ·  8 years ago (edited)

    The additional granularity of permission delegation would definitely be a way to improve on security. For a user like me though, that still might not be enough. I probably won't be trusting any apps that can do things with my account unless they are actually integrated into the Steemit website.

    I don't know how many users are like me, but I am very wary of trusting any delegation of control over actions taken with my account. Even with voting or posting authority, a malicious app developer could do a lot with that access. (Especially if they wrote a good app that attracted a large user base.)

    The thing that I am curious to see is whether this is a hurdle that we will overcome, and a decentralized network of stand alone apps is where we will end up; or if we will need to head more in the direction of a centralized Steemit platform with everything baked in.

    Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

    • Disagreement on rewards
    • Fraud or plagiarism
    • Hate speech or trolling
    • Miscategorized content or spam

    Submit
    $1.25
    • Past Payouts $1.25
    • - Author $0.94
    • - Curators $0.31
    1 vote