— SteemCN

RE: Automated votes abuse on SteemConnect?

You are viewing a single comment's thread from:

Automated votes abuse on SteemConnect?

heimindanger (68) in steemconnect • 7 years ago

Apps (server side) don't need to handle keys or tokens at all. Everything can be done client side like it's done on dtube and steemit. It works really well this way. Nobody ever gets your key, you don't need to delegate any authority to anyone.

You actually introduce security holes that didn't exist before SteemConnect, so calling it more secure it a total joke.

Only good point for SteemConnect is that it makes it easy for noob developers to start creating something on steem, without having to code a proper key storage and verification system for their apps.

steemconnect

7 years ago by heimindanger (68)

$1.20

2 votes

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!

Sort Order:

Trending

[-]

fabien (62) · 7 years ago (edited)

There is 2 differents ways. Both have advantages and downsides.

Everything can be done client side like it's done on dtube and steemit

Not everything, for example you canot do scheduled post on client side.

You also need to know how to do a proper key storage with auth, some app failed on this and we canot expect every app will know how to do it properly.

You need to have your code reviewed (be open source) or be trusted in the community not everyone is dtube and steemit.

Nobody ever gets your key, you don't need to delegate any authority to anyone.

The app may get it, if the server is hacked like was Utopian the hacker could log users keys and force users to update their keys in the end. With SteemConnect we don't store key, the hacker may get an access_token which expire after 7 days or get manually revoked but users keys are not exposed.

$0.47

5 votes

[-]

ivanfurqanpurba (69) · 7 years ago

Thank you for information @fabien

$0.00

[-]

fsl (45) · 7 years ago

May you always succeed in helping others

$0.00

1 vote

[-]

lebastion (55) · 7 years ago

First you say client side do not need key handling, then you say they should code a proper key storage ...
Isn't it contradictory ?

$0.00

[-]

heimindanger (68) · 7 years ago

I didn't say we shouldn't handle key client-side, that's the opposite of what I think. I said that apps don't need their users key to do their server-side stuff. All transactions should happen client-side, in the browser, on the actual user pc. So yes, UIs need a proper way to store keys and verify them on the blockchain. That's what DTube and SteemIt does. That's hard so that's why so many app developers use SteemConnect because it abstracts all that away.

$0.00

[-]

jakipatryk (62) · 7 years ago (edited)

It really depends on a purpose of the app. For an interface like Steemit or DTube there is no need to store keys on the server side nor access tokens. But there are certain types of apps that need that, and as far as I know, it is way more secure to store OAuth2 tokens than private keys.

$0.00