A new start for SteemConnect

in steemconnect •  6 years ago  (edited)

sc3.png

Dear Steemians,

We are pleased to announce that a new version of SteemConnect is under construction. Since we’ve started, 683 Steem based apps have integrated SteemConnect 2. Despite the great adoption there is few downsides we come across and we believe there is a lot of room for improvements. We’ve proposed a new version of SteemConnect to Steemit Inc. and it was received with a lot of support. We got a lot of great feedback from the community and this new version will be taking them to heart, it will be more decentralized, more flexible, cross platform and give a higher level of security to the users.

SteemConnect will also no longer be owned by Steemit Inc. but instead be a community driven project managed by me @fabien, @sekhmet and @almost-digital. I would like to thank Steemit for their continuous support all along the way, it has been a pleasure working together.

If you are interested to know what’s to come next, follow @steemscript and stay tuned, we are going to publish a series of posts shortly!

Cheers!

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

amazing! cant wait

If an app doesn't have SteemConnect, I don't trust it :D

Same here, with the only exception being Steem Monsters. Luckily they only ask for the Posting Key, so it would not even be a big problem if there was a security breach with the Steem Monster website.

  ·  6 years ago Reveal Comment

Agreed. If it's only for login, why would we need to delegate our keys to SteemConnect just to prove our identity? It is just silly unless the dapp needs more from you than to actually verify your identity. As for actually delegating authority to act on our behalve, I think Steemit Inc should be looking at Agora type capability secure smart contract based options for that instead of the crude course grained TTP solution SteemConnect provides. Seriously, it is 2018 and STEEM is a bleeding blockchain, why are we still using a centralised TTP as if it was 1998? Surely the Steemit Inc crowd could do way better than this if they would put these heads to it.

  ·  6 years ago (edited)

With SteemConnect you don't need to delegate posting authority to prove your identity. It's never been the case.

Yes it has. You can't login using the SteemConnect TTP unless you delegate it (and more) to the SteemConnect TTP.

You can, but if you don't believe me you can try by yourself, go on smartsteem.com and click login, you will see that posting authority delegation is not necessary.

Uhm, the TTP doesn't delegate authority to the dapp, but the user still needs to delegate a lot of her authority to the TTP. There is no "sign this token with your memo key" login, no "use this token in the memo field of a micro transaction" option, the only option the user gets to proof it's identity is using a TTP that in turn can only be used if you trust the TTP with your keys. That is a whole lot of trust to put in a TTP if all I want to do is use a few services that merely want me to prove my account ownership.

Yet, how many of the 683 apps don't just verify identify, but actually asks by default for posting and voting auth? I bet its like 95%

Please give us data, and stop derailing useful conversations

  ·  6 years ago (edited)

Yes, I've seen people using steemconnect to unknowingly "hack" people's keys. This happens. They are simply linking a link to enable all permissions and tell users they will give "upvotes" if they do. They didn't tell them about the permissions of course :D

  ·  6 years ago (edited)

Why is that? The worst is to having to trust every each Steem based websites to secure your key.

We talked about that hundreds of times, including in private messages. I don't feel like arguing anymore because I'm tired of it and I guess if Steem It Inc isn't funding SteemConnect anymore, it probably means I argued good enough in the past.

SO LONG STEEMCONNECT

P.S: Told you so 2 years ago ;)

Or the Steem based website uses steem keychain and solves the problem. =)

SteemConnect is the worst login option for security by far.

Would you care to elaborate on that?

Is a proof by example good enough? Utopian, about 1 year ago. Pictures of flowers everywhere?

Nobody hacked DTube or posting keys. Why? Because I dont store keys or 'tokens' that replace them in a centralized db, its literally staying in your PC and cant get massively hacked ever.

DTube store keys in localStorage, if someone hack DTube server he can modify the code to retreive users keys. When Utopian was hacked, the hacker only got some expirable token, users keys never been exposed.

And btw no it’s not local storage it’s indexedDB

A posting key can be reset at any time with the master.

DTube never got hacked this way, because my github account is way more secure than all servers setup by apps using auth of users

Many sites are using offline tokens, if they get hacked, the users are screwed equally like putting the private key directly into. But the hacker doesn't even need to get it from the localStorage but take it directly from the database of the server. And its not really easy to prevent phishing here either.

Why not making a solution like steem keychain for all browsers? =)

Yeah did everyone forget utopian-io and the compromised keys via steemconnect? I guess so. Amnesia?

SteemConnect is very much overused for authentication IMHO. Seriously, why use SteemConnect only to allow a user to proof his/her identity when you can simply use a micro transaction for that. We should have less SteemConnect usage by Apps and more micro-transaction based authentication. So, actually, if an App could use micro transactions but user SteemConnect instead, then I don't trust it😉

Microtransactions are not free, it would be visible on the chain (everyone would know when you login), and require your active key. I'm not sure how is that good for the users.

It is good for the user because it does not require trusting a TTP with your keys. How is this hard to grasp?

I like steemconnect, but would prefer to use keychain. Keychain has some other benefits like not having to need to trust the site with your keys and you get to confirm every single action as long as you don't give the site the power to not need to send confirmations.

  ·  6 years ago Reveal Comment

Great news!

python client is ready for the changes. :)

This is amazing news! Steemconnect has really played a huge role in making people be able to trust the dapps that are built on top of the Steem blockchain, and I'm sure a lot of them would have many fewer users if it hadn't been for Steemconnect. I'm really looking forward to learning more about Steemconnect 3!

The next big thing to hit the blockchain, let's go!

Cool! Looking forward to seeing what this new version brings! SteemConnect is a wonderful project and very much needed. Good luck with your development!

I'm really happy to hear more about the security....I believe it is the most important part.

Subscribed to @steemscript
Really interesting to know more about SteemConnect 3 features/improvements :)

Way to go. Looking forward for the new features - anything that helps mass adoption is highly welcome

Excited about the new version of Steem Connect. All the dapp creators use Steemconnect and that is what everyone is trusting.

Posted using Partiko Android

Downvoted by @fabien 🤔🤔

Posted using Partiko Android

Hehe this was a miss click :)

Ha ha ha.. Okay. 😀

Posted using Partiko Android

can you elaborate on the security side in your new blog, to encourage and reassure users of the one concern with the easy service.

Thanks for the good news @fabien.

Hopefully the new version will allow us to engage with only our Private Posting key. We should only enter
Private Active key, when conducting a financial transaction.

Posted using Partiko Android

Yes, that would be a nice change. I'm not a big fan of having to find my Active Key when I simply want to let a dapp get access to custom Json, commenting or something like that.

Well that's two of us then @valth. Not quite a quorum, but it's a start! 😉👍

Posted using Partiko Android

Hey yes it will be possible to only use posting key to do posting operations.

Excellent @fabien! 👍

Posted using Partiko Android

I would cringe everytime I needed to put my private active key into Steem Connect in order to use a site that uses posting key operations.

We can join a new dapp due to the trusted steemconnect. Great job sir

Posted using Partiko Android

  ·  6 years ago 

Great news.
Thanks for your team.

Posted using Partiko Android

Good news!

Posted using Partiko iOS

This is a good news as it makes steeming better and better as time goes by @fabien

Keep it up! Excellent news!
And of course I will be waiting your next post to know more details about new SteemConnect 3!

Posted using Partiko Android

Thanks we are on it!

How many of those 683 dapps use SteemConnect just for authentication? I feel strongly such use should be discouraged for security purposes in favour of a micro transaction based authentication like described here. The description is asyncsteem and Python specific, but the concepts are easy enough to easily integrate in apps using different languages like JavaScript or different python libs like Beem.

As for the transactions that actually do need key bound user authority; SteemConnect is a TTP. Is anyone really happy that in the age where capability secure smart contracts are starting to become a thing, the most promising infrastructure for dapps ends up needing to rely on a cource grained TTP infrastructure? Surely we could find something more 2018 for that if we put our minds to it, right? Have a look at this video and tell me Steemut INC couldn't leverage these types of secure smart contracts into a killer dapp infrastructure that would make SteemConnect feel like something from the Pleistocene.

Yes I know, integrating a real TTP free secure solution will take time, so SteemConnect and microtransactions as an intermediate option untill Steemit Inc sees the (Agoric) light is a logical choiche, but towards the future, a cap secure smart contract based dapp user privilege delegation infrastructure would seem like the path forwards.

We don't need users to broadcast an operation on Steem blockchain and pay 0.001 STEEM everytime they login. Login is not a problem, we can use and verify signature for that.

Compared to being required to delegate massive amounts of authority to a TTP just to log in to a service that uses non of that authority, it is a simple low impact way to log in. A generic TTP-free signature based login would be great, an I'm not sure, but you could probably just use your memo key for that, but as far as TTP versus micro-transaction goes, micro transactions should be the preferred log-in only option IMO.

A 4th possibility with a TTP that I feel could actually work is a TTP that sells client certificates using memo field in the sell transaction the same way that micro transaction login would.

I'm curious, why do you say that on-chain transactions are the better option for login compared to signing a message with your key proving ownership?

I don't. I'm saying using the blockchain for log-in is preferable to using a TTP for log-in.
In general the blockchain should eventually be able to remove the need for any type of TTP, even for delegation. I think Steemit Inc would do wise to keep close tabs on the Agoric developments and maybe work with Agoric to make STEEM bleading edge with respect to implementing cap patterns for rights and delegations. In the meantime, only using a TTP when delegating, not when logging in, should I think be the first step away from the IMHO outdated concept of TTPs.

I don't use most of those 683 DAPPs. I mostly just use Busy, Dlike and STEEM Hunt. Am I doing something stupid by using Steemconnect? Is there a better way to use those DAPPs and do what I do? I don't care about some random DAPP I haven't heard of. 99% of the blockchain usage should be coming from about 10 DAPPs. How does Steemconnect usage matter when it comes to the few I actually use?Is there any reason I should stop using these services/DAPPs?

As a user I don't mind one time verification via microtransaction such as @minnowsupport. But doing a microtransaction every time is going to ensure that STEEM will never gain mass adoption. This is my perspective as a user. Is there anything I've messed up

Most people won't use most of those dapps. Many won't use any dapp that actually requires delegated user authority. For those, delegating almost all their user authority to a TTP in order to log in to a dapp that requires zero is bad from a security point of view.

Personally I currently don't use any steemconnect using dapp, not since utopian. The ones I'm interested in using are authenticate only, and I'm seriously not going to trust a TTP I don't need because neither the dapp builder nor SteemConnect could bothered to implement either micro transaction based or wallet based login.

Looking beyond login, in theory, there should really be no need for a TTPin a blockchain based infrastructure. This would be a big project, but imagine an infrastructure where you could use your wallet to delegate the attenuated right to use specific operations with your account to a capability secure smart contract between you and the dapp. That should totally remove the need and justification for any type of TTP.

I believe if STEEM dapp usage continues to require a 1990s style TTP infrastructure like SteemConnect, instead of aiming to be amongst the first to get on the Agoric track, STEEM will end up left behind, and new alternatives that will be TTP-free will drive STEEM out of existence. TTPs are not the future of web 3, and moving away from them, step by step, should be top priority for Steemit Inc IMHO.

Thank you for taking your time to reply. The smart contract based authentication certainly sounds much better. Personally I avoid the more obscure DAPPs and stick with the ones that provide a good service that has good reputation. Still it's not perfect as it was evident from the Utopian mess. But on the bright side it's really not that huge compared to the mess Ethereum had to deal with.

Great news, more and more constant updates on Steem blockchain when Smt's go live the price of Steem will explode!

Posted using Partiko Android

So glad to know this news more power to you

Great. Resteemed :-)

Thanks!

That's really great news. Would be possible to use sc3 to give an account only the right to vote without token management and a website?
$rewarding 50%12min

Posted using Partiko Android

Command accepted.

Congratulations @fabien!
Your post was mentioned in the Steemit Hit Parade in the following category:

  • Pending payout - Ranked 8 with $ 131,42

Great news from you @fabien. I am happy to hear more next about steemconnect. I used to post via steemconnect for special purpose only. Resteemed for more learning. Thanks

I'm still curious why it's such a pain in the ass to use Steemconnect with #dtube.
Will version 3 of steemconnect fix this problem?

Posted using Partiko Android

Very good news! Loving this #SteemConnect ;)
keep up the good deed!

@fabien I am not a very good programmer, but maybe, could you, maybe, make some documentation or something more beginner friendly?
I am doing on my steem account a series of tutorials that are beginner friendly, but first I must understand how the API works, I am facing quite a few issues at the moment that make the demo application not work.
I have read all the documentation of Dsteem steem js and steemconnect but still I think I am missing something, maybe updating the documentation would be helpful.

I will keep studying and trying tough and keep posting my series of beginner friendly tutorials in Portuguese, English and Spanish at every step I take on improving my knowledge, I hope that by making things beginner friendly we can have better and more creative applciations, thus attracting more users to Steem, we can only win by having more users and more creative application by empowering beginners to put their ideas in practice.

Thank you for you work anyways :D