A new start for SteemConnect

kingscrown (81) · 6 years ago

amazing! cant wait

$3.78

5 votes

jmehta (58) · 6 years ago

If an app doesn't have SteemConnect, I don't trust it :D

$0.18

6 votes

valth (68) · 6 years ago

Same here, with the only exception being Steem Monsters. Luckily they only ask for the Posting Key, so it would not even be a big problem if there was a security breach with the Steem Monster website.

$0.00

heimindanger (68) · 6 years ago

$0.00

Reveal Comment

pibara (60) · 6 years ago

Agreed. If it's only for login, why would we need to delegate our keys to SteemConnect just to prove our identity? It is just silly unless the dapp needs more from you than to actually verify your identity. As for actually delegating authority to act on our behalve, I think Steemit Inc should be looking at Agora type capability secure smart contract based options for that instead of the crude course grained TTP solution SteemConnect provides. Seriously, it is 2018 and STEEM is a bleeding blockchain, why are we still using a centralised TTP as if it was 1998? Surely the Steemit Inc crowd could do way better than this if they would put these heads to it.

$0.27

fabien (62) · 6 years ago (edited)

With SteemConnect you don't need to delegate posting authority to prove your identity. It's never been the case.

pibara (60) · 6 years ago

Yes it has. You can't login using the SteemConnect TTP unless you delegate it (and more) to the SteemConnect TTP.

$0.00

fabien (62) · 6 years ago

You can, but if you don't believe me you can try by yourself, go on smartsteem.com and click login, you will see that posting authority delegation is not necessary.

pibara (60) · 6 years ago

Uhm, the TTP doesn't delegate authority to the dapp, but the user still needs to delegate a lot of her authority to the TTP. There is no "sign this token with your memo key" login, no "use this token in the memo field of a micro transaction" option, the only option the user gets to proof it's identity is using a TTP that in turn can only be used if you trust the TTP with your keys. That is a whole lot of trust to put in a TTP if all I want to do is use a few services that merely want me to prove my account ownership.

$0.20

heimindanger (68) · 6 years ago

Yet, how many of the 683 apps don't just verify identify, but actually asks by default for posting and voting auth? I bet its like 95%

Please give us data, and stop derailing useful conversations

$0.00

gray00 (57) · 6 years ago (edited)

Yes, I've seen people using steemconnect to unknowingly "hack" people's keys. This happens. They are simply linking a link to enable all permissions and tell users they will give "upvotes" if they do. They didn't tell them about the permissions of course :D

$0.00

fabien (62) · 6 years ago (edited)

Why is that? The worst is to having to trust every each Steem based websites to secure your key.

$0.07

heimindanger (68) · 6 years ago (edited)

We talked about that hundreds of times, including in private messages. I don't feel like arguing anymore because I'm tired of it and I guess if Steem It Inc isn't funding SteemConnect anymore, it probably means I argued good enough in the past.

SO LONG STEEMCONNECT

P.S: Told you so 2 years ago ;)

$0.00

abwasserrohr (46) · 6 years ago

Or the Steem based website uses steem keychain and solves the problem. =)

$0.00

valth (68) · 6 years ago

SteemConnect is the worst login option for security by far.

Would you care to elaborate on that?

$0.00

heimindanger (68) · 6 years ago

Is a proof by example good enough? Utopian, about 1 year ago. Pictures of flowers everywhere?

Nobody hacked DTube or posting keys. Why? Because I dont store keys or 'tokens' that replace them in a centralized db, its literally staying in your PC and cant get massively hacked ever.

$0.00

fabien (62) · 6 years ago

DTube store keys in localStorage, if someone hack DTube server he can modify the code to retreive users keys. When Utopian was hacked, the hacker only got some expirable token, users keys never been exposed.

$0.00

heimindanger (68) · 6 years ago (edited)

And btw no it’s not local storage it’s indexedDB

$0.00

heimindanger (68) · 6 years ago (edited)

A posting key can be reset at any time with the master.

DTube never got hacked this way, because my github account is way more secure than all servers setup by apps using auth of users

$0.00

abwasserrohr (46) · 6 years ago

Many sites are using offline tokens, if they get hacked, the users are screwed equally like putting the private key directly into. But the hacker doesn't even need to get it from the localStorage but take it directly from the database of the server. And its not really easy to prevent phishing here either.

Why not making a solution like steem keychain for all browsers? =)

$0.00

gray00 (57) · 6 years ago

Yeah did everyone forget utopian-io and the compromised keys via steemconnect? I guess so. Amnesia?

$0.00

pibara (60) · 6 years ago

SteemConnect is very much overused for authentication IMHO. Seriously, why use SteemConnect only to allow a user to proof his/her identity when you can simply use a micro transaction for that. We should have less SteemConnect usage by Apps and more micro-transaction based authentication. So, actually, if an App could use micro transactions but user SteemConnect instead, then I don't trust it😉

$0.00

fabien (62) · 6 years ago

Microtransactions are not free, it would be visible on the chain (everyone would know when you login), and require your active key. I'm not sure how is that good for the users.

$0.05

2 votes

pibara (60) · 6 years ago

It is good for the user because it does not require trusting a TTP with your keys. How is this hard to grasp?

$0.00

rishi556 (62) · 6 years ago

I like steemconnect, but would prefer to use keychain. Keychain has some other benefits like not having to need to trust the site with your keys and you get to confirm every single action as long as you don't give the site the power to not need to send confirmations.

$0.00

heimindanger (68) · 6 years ago

$0.00

Reveal Comment

emrebeyler (74) · 6 years ago (edited)

Great news!

python client is ready for the changes. :)

$0.17

3 votes

valth (68) · 6 years ago

This is amazing news! Steemconnect has really played a huge role in making people be able to trust the dapps that are built on top of the Steem blockchain, and I'm sure a lot of them would have many fewer users if it hadn't been for Steemconnect. I'm really looking forward to learning more about Steemconnect 3!

$0.13

4 votes

mediahousent (67) · 6 years ago

The next big thing to hit the blockchain, let's go!

$0.13

stuffbyspencer (61) · 6 years ago

Cool! Looking forward to seeing what this new version brings! SteemConnect is a wonderful project and very much needed. Good luck with your development!

$0.12

jonnyrevolution (59) · 6 years ago

I'm really happy to hear more about the security....I believe it is the most important part.

$0.09

2 votes

dunsky (68) · 6 years ago

Subscribed to @steemscript
Really interesting to know more about SteemConnect 3 features/improvements :)

$0.07

bobinson (63) · 6 years ago

Way to go. Looking forward for the new features - anything that helps mass adoption is highly welcome

$0.07

bala41288 (70) · 6 years ago

Excited about the new version of Steem Connect. All the dapp creators use Steemconnect and that is what everyone is trusting.

Posted using Partiko Android

$0.06

3 votes

bala41288 (70) · 6 years ago

Downvoted by @fabien 🤔🤔

Posted using Partiko Android

$0.00

fabien (62) · 6 years ago

Hehe this was a miss click :)

$0.00

bala41288 (70) · 6 years ago

Ha ha ha.. Okay. 😀

Posted using Partiko Android

$0.00

ade-greenwise (58) · 6 years ago

can you elaborate on the security side in your new blog, to encourage and reassure users of the one concern with the easy service.

$0.04

roleerob (66) · 6 years ago

Thanks for the good news @fabien.

Hopefully the new version will allow us to engage with only our Private Posting key. We should only enter
Private Active key, when conducting a financial transaction.

Posted using Partiko Android

$0.00

valth (68) · 6 years ago

Yes, that would be a nice change. I'm not a big fan of having to find my Active Key when I simply want to let a dapp get access to custom Json, commenting or something like that.

$0.00

roleerob (66) · 6 years ago

Well that's two of us then @valth. Not quite a quorum, but it's a start! 😉👍

Posted using Partiko Android

$0.00

fabien (62) · 6 years ago

Hey yes it will be possible to only use posting key to do posting operations.

$0.00

roleerob (66) · 6 years ago

Excellent @fabien! 👍

Posted using Partiko Android

$0.00

leprechaun (56) · 6 years ago

I would cringe everytime I needed to put my private active key into Steem Connect in order to use a site that uses posting key operations.

$0.00

hafiz34 (66) · 6 years ago

We can join a new dapp due to the trusted steemconnect. Great job sir

Posted using Partiko Android

$0.00

honoru (76) · 6 years ago

Great news.
Thanks for your team.

Posted using Partiko Android

$0.00

noopu (67) · 6 years ago

Good news!

Posted using Partiko iOS

$0.00

cryptopie (81) · 6 years ago

This is a good news as it makes steeming better and better as time goes by @fabien

$0.00

travoved (65) · 6 years ago

Keep it up! Excellent news!
And of course I will be waiting your next post to know more details about new SteemConnect 3!

Posted using Partiko Android

$0.00

fabien (62) · 6 years ago

Thanks we are on it!

$0.00

pibara (60) · 6 years ago

How many of those 683 dapps use SteemConnect just for authentication? I feel strongly such use should be discouraged for security purposes in favour of a micro transaction based authentication like described here. The description is asyncsteem and Python specific, but the concepts are easy enough to easily integrate in apps using different languages like JavaScript or different python libs like Beem.

As for the transactions that actually do need key bound user authority; SteemConnect is a TTP. Is anyone really happy that in the age where capability secure smart contracts are starting to become a thing, the most promising infrastructure for dapps ends up needing to rely on a cource grained TTP infrastructure? Surely we could find something more 2018 for that if we put our minds to it, right? Have a look at this video and tell me Steemut INC couldn't leverage these types of secure smart contracts into a killer dapp infrastructure that would make SteemConnect feel like something from the Pleistocene.

Yes I know, integrating a real TTP free secure solution will take time, so SteemConnect and microtransactions as an intermediate option untill Steemit Inc sees the (Agoric) light is a logical choiche, but towards the future, a cap secure smart contract based dapp user privilege delegation infrastructure would seem like the path forwards.

$0.00

fabien (62) · 6 years ago

We don't need users to broadcast an operation on Steem blockchain and pay 0.001 STEEM everytime they login. Login is not a problem, we can use and verify signature for that.

pibara (60) · 6 years ago

Compared to being required to delegate massive amounts of authority to a TTP just to log in to a service that uses non of that authority, it is a simple low impact way to log in. A generic TTP-free signature based login would be great, an I'm not sure, but you could probably just use your memo key for that, but as far as TTP versus micro-transaction goes, micro transactions should be the preferred log-in only option IMO.

A 4th possibility with a TTP that I feel could actually work is a TTP that sells client certificates using memo field in the sell transaction the same way that micro transaction login would.

$0.00

almost-digital (61) · 6 years ago

I'm curious, why do you say that on-chain transactions are the better option for login compared to signing a message with your key proving ownership?

$0.05

2 votes

pibara (60) · 6 years ago

I don't. I'm saying using the blockchain for log-in is preferable to using a TTP for log-in.
In general the blockchain should eventually be able to remove the need for any type of TTP, even for delegation. I think Steemit Inc would do wise to keep close tabs on the Agoric developments and maybe work with Agoric to make STEEM bleading edge with respect to implementing cap patterns for rights and delegations. In the meantime, only using a TTP when delegating, not when logging in, should I think be the first step away from the IMHO outdated concept of TTPs.

$0.26

vimukthi (72) · 6 years ago

I don't use most of those 683 DAPPs. I mostly just use Busy, Dlike and STEEM Hunt. Am I doing something stupid by using Steemconnect? Is there a better way to use those DAPPs and do what I do? I don't care about some random DAPP I haven't heard of. 99% of the blockchain usage should be coming from about 10 DAPPs. How does Steemconnect usage matter when it comes to the few I actually use?Is there any reason I should stop using these services/DAPPs?

As a user I don't mind one time verification via microtransaction such as @minnowsupport. But doing a microtransaction every time is going to ensure that STEEM will never gain mass adoption. This is my perspective as a user. Is there anything I've messed up

$0.02

pibara (60) · 6 years ago

Most people won't use most of those dapps. Many won't use any dapp that actually requires delegated user authority. For those, delegating almost all their user authority to a TTP in order to log in to a dapp that requires zero is bad from a security point of view.

Personally I currently don't use any steemconnect using dapp, not since utopian. The ones I'm interested in using are authenticate only, and I'm seriously not going to trust a TTP I don't need because neither the dapp builder nor SteemConnect could bothered to implement either micro transaction based or wallet based login.

Looking beyond login, in theory, there should really be no need for a TTPin a blockchain based infrastructure. This would be a big project, but imagine an infrastructure where you could use your wallet to delegate the attenuated right to use specific operations with your account to a capability secure smart contract between you and the dapp. That should totally remove the need and justification for any type of TTP.

I believe if STEEM dapp usage continues to require a 1990s style TTP infrastructure like SteemConnect, instead of aiming to be amongst the first to get on the Agoric track, STEEM will end up left behind, and new alternatives that will be TTP-free will drive STEEM out of existence. TTPs are not the future of web 3, and moving away from them, step by step, should be top priority for Steemit Inc IMHO.

$0.00

vimukthi (72) · 6 years ago

Thank you for taking your time to reply. The smart contract based authentication certainly sounds much better. Personally I avoid the more obscure DAPPs and stick with the ones that provide a good service that has good reputation. Still it's not perfect as it was evident from the Utopian mess. But on the bright side it's really not that huge compared to the mess Ethereum had to deal with.

amahovac93 (63) · 6 years ago

Great news, more and more constant updates on Steem blockchain when Smt's go live the price of Steem will explode!

Posted using Partiko Android

$0.00

darwindelacruz (37) · 6 years ago

So glad to know this news more power to you

$0.00

lichtblick (78) · 6 years ago

Great. Resteemed :-)

$0.00

fabien (62) · 6 years ago

Thanks!

$0.00

holger80 (72) · 6 years ago

That's really great news. Would be possible to use sc3 to give an account only the right to vote without token management and a website?
$rewarding 50%12min

Posted using Partiko Android

$0.00

rewarding (58) · 6 years ago

Command accepted.

$0.00

arcange (73) · 6 years ago

Congratulations @fabien!
Your post was mentioned in the Steemit Hit Parade in the following category:

Pending payout - Ranked 8 with $ 131,42

$0.00

rikaz87 (63) · 6 years ago

Great news from you @fabien. I am happy to hear more next about steemconnect. I used to post via steemconnect for special purpose only. Resteemed for more learning. Thanks

$0.00

tonygreene113 (59) · 6 years ago

I'm still curious why it's such a pain in the ass to use Steemconnect with #dtube.
Will version 3 of steemconnect fix this problem?

Posted using Partiko Android

$0.00

trayan (62) · 6 years ago

Very good news! Loving this #SteemConnect ;)
keep up the good deed!

$0.00

igormuba (69) · 6 years ago

@fabien I am not a very good programmer, but maybe, could you, maybe, make some documentation or something more beginner friendly?
I am doing on my steem account a series of tutorials that are beginner friendly, but first I must understand how the API works, I am facing quite a few issues at the moment that make the demo application not work.
I have read all the documentation of Dsteem steem js and steemconnect but still I think I am missing something, maybe updating the documentation would be helpful.

I will keep studying and trying tough and keep posting my series of beginner friendly tutorials in Portuguese, English and Spanish at every step I take on improving my knowledge, I hope that by making things beginner friendly we can have better and more creative applciations, thus attracting more users to Steem, we can only win by having more users and more creative application by empowering beginners to put their ideas in practice.

Thank you for you work anyways :D

$0.00