RE: Steemit's Security Values & How Steem Keychain Can Help

You are viewing a single comment's thread from:

Steemit's Security Values & How Steem Keychain Can Help

in steemit •  6 years ago 

I thought that Steemit.com don't store keys and it's client side app.

I have few questions:

  1. How are my keys stored in keycahin?
  2. It's been 3 months and no Firefox support yet? When do you plan to do it?

Posted using Partiko Android

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

It is a client side app. The difference between keychain and what Condenser (Steemit.com) does is that in Condenser the signing code is sent to the client via http, and executed client side. In Keychain the signing code is built into a browser extension. With the code in a http web response, the server could potentially serve malicious code which reads your keys and sends them to the server. It would even be possible to do this selectively. With a browser extension, malicious code would have to be embedded in an update for the extension, and it would likely be quickly detected by the community. Thus having the code which handles keys only in a browser extension is safer than allowing a web app to handle your keys directly, even if it is generally only done client side.

Thank you for explanation :)

I thought that Steemit.com don't store keys and it's client side app.

That's right, they don't store your keys and everything is done on the client side. The whole point is that since you're putting your key into a site that they control, they can store your keys, and send them to the server-side, but we have to trust that they don't. Even if I trust Steemit, Inc, what if someone hacks into the server hosting steemit.com and edits the code for the log in page to send all keys entered to their server? Thousands of keys (many likely master passwords) would be stolen very quickly.

To answer your questions:

  1. How are my keys stored in keycahin?

Keys are stored locally, encrypted, in the extension. When using keychain, a website will request that the extension sign and broadcast transactions for it, so that the website never gets access to your keys. If you're concerned that we can access your keys since we created the extension, or that the account publishing the extension could be hacked, that is a valid concern. In that case you can download the extension code from GitHub and install it locally.

  1. It's been 3 months and no Firefox support yet? When do you plan to do it?

Sorry we're not moving as fast as you would like here...We're spending a lot of time and money developing this free tool to help improve and grow the Steem platform. If you would like things to move faster we would be happy for you to pitch in and help out!

Posted using Steeve, an AI-powered Steem interface

  ·  6 years ago (edited)

Yes, you're right, but here's why Keychain is still a better solution (IMO):

  1. It's MUCH easier to install and run the Keychain extension locally than it is to do the same for Condenser; and
  2. If you use the Keychain extension then you can securely use your keys on ANY Steem-based website that supports Keychain (which will hopefully be almost all of them in the near future) whereas you can't realistically install and run every Steem-based website you want to use locally.
  3. It avoids copy/paste errors. I know I've forgotten that I had a private key copied to my clipboard from logging into a Steem-based site and accidentally pasted it somewhere it wasn't supposed to go. Luckily I never published it or anything, but I know people who have and who lost funds because of it.

Lastly, aside from the security aspects, it's a really useful tool, especially if you manage multiple Steem accounts. At this point I couldn't imagine using Steem without it.

  ·  6 years ago (edited)
  ·  6 years ago (edited)

Is there a way to verify that the code that I install from the Chrome Web Store is the same as on GitHub?

When you install an extension from the Chrome web store, it simply downloads the files and drops them into a folder for Chrome to access. So yes, you can verify by running a diff on the folder vs. the github. Or download directly from github, skipping the web store.

Thank you for your conversation.

  ·  6 years ago (edited)

Yaba, how about you spend your time doing something for steem that we really need, if you have all this energy, like running and paying for an instagram campaign to promote steem, and organzie your followers with a trending post to register to post on reddit with you maybe meet in a discord and all upvote and post about steemit... or do it in stealth to avoid getting banned by reddit for brigading.. but come on breaking the reddit rules is so sweet and we can totally take over reddit with our numbers but in a polite way, maybe do a steem,it post once every other day..... hey man

hey man, in the words of @walden ,lets go, lets go mother fucker, huh?

U gonna sell some of ur steem monthsers to us huh? Overpriced SHEET

hah cant u imagine walden sayin that?

Thanks for all the work @yabapmatt!!

  ·  6 years ago (edited)

Thank you :)

If I will have any time, maybe I will take a look into code to see if I can help.

I'm fairly certain you can use Chrome extensions on Firefox. Not positive if this one will work or not.

I tried, didn't work for me.

Dang, that sucks. I just bit the bullet and started using Chrome lol

I ll optimize the extension for Firefox in the near future.

ooj

shouldnt you be using golos? :P dasvidonyetsk

Why?

Posted using Partiko Android