Steemit&#x27;s Security Values &amp; How Steem Keychain Can Help

yusnidarakj (48) · 6 years ago

Why you always sleep not post

$5.68

magicdice (64) · 6 years ago

Magic Dice has rewarded your post with a 66% upvote. Thanks for playing Magic Dice.

$0.00

fbslo (70) · 6 years ago

I thought that Steemit.com don't store keys and it's client side app.

I have few questions:

How are my keys stored in keycahin?
It's been 3 months and no Firefox support yet? When do you plan to do it?

Posted using Partiko Android

$1.72

6 votes

demotruk (69) · 6 years ago

It is a client side app. The difference between keychain and what Condenser (Steemit.com) does is that in Condenser the signing code is sent to the client via http, and executed client side. In Keychain the signing code is built into a browser extension. With the code in a http web response, the server could potentially serve malicious code which reads your keys and sends them to the server. It would even be possible to do this selectively. With a browser extension, malicious code would have to be embedded in an update for the extension, and it would likely be quickly detected by the community. Thus having the code which handles keys only in a browser extension is safer than allowing a web app to handle your keys directly, even if it is generally only done client side.

$16.90

15 votes

fbslo (70) · 6 years ago

Thank you for explanation :)

$0.00

yabapmatt (69) · 6 years ago

I thought that Steemit.com don't store keys and it's client side app.

That's right, they don't store your keys and everything is done on the client side. The whole point is that since you're putting your key into a site that they control, they can store your keys, and send them to the server-side, but we have to trust that they don't. Even if I trust Steemit, Inc, what if someone hacks into the server hosting steemit.com and edits the code for the log in page to send all keys entered to their server? Thousands of keys (many likely master passwords) would be stolen very quickly.

To answer your questions:

How are my keys stored in keycahin?

Keys are stored locally, encrypted, in the extension. When using keychain, a website will request that the extension sign and broadcast transactions for it, so that the website never gets access to your keys. If you're concerned that we can access your keys since we created the extension, or that the account publishing the extension could be hacked, that is a valid concern. In that case you can download the extension code from GitHub and install it locally.

It's been 3 months and no Firefox support yet? When do you plan to do it?

Sorry we're not moving as fast as you would like here...We're spending a lot of time and money developing this free tool to help improve and grow the Steem platform. If you would like things to move faster we would be happy for you to pitch in and help out!

_{Posted using Steeve, an AI-powered Steem interface}

$0.64

wehmoen (68) · 6 years ago (edited)

$0.47

yabapmatt (69) · 6 years ago

Yes, you're right, but here's why Keychain is still a better solution (IMO):

It's MUCH easier to install and run the Keychain extension locally than it is to do the same for Condenser; and
If you use the Keychain extension then you can securely use your keys on ANY Steem-based website that supports Keychain (which will hopefully be almost all of them in the near future) whereas you can't realistically install and run every Steem-based website you want to use locally.
It avoids copy/paste errors. I know I've forgotten that I had a private key copied to my clipboard from logging into a Steem-based site and accidentally pasted it somewhere it wasn't supposed to go. Luckily I never published it or anything, but I know people who have and who lost funds because of it.

Lastly, aside from the security aspects, it's a really useful tool, especially if you manage multiple Steem accounts. At this point I couldn't imagine using Steem without it.

$0.93

11 votes

wehmoen (68) · 6 years ago (edited)

$0.26

demotruk (69) · 6 years ago (edited)

Is there a way to verify that the code that I install from the Chrome Web Store is the same as on GitHub?

When you install an extension from the Chrome web store, it simply downloads the files and drops them into a folder for Chrome to access. So yes, you can verify by running a diff on the folder vs. the github. Or download directly from github, skipping the web store.

$0.60

vitamin-b (25) · 6 years ago

Thank you for your conversation.

$0.00

wehmoen (68) · 6 years ago (edited)

$0.00

ackza (72) · 6 years ago

Yaba, how about you spend your time doing something for steem that we really need, if you have all this energy, like running and paying for an instagram campaign to promote steem, and organzie your followers with a trending post to register to post on reddit with you maybe meet in a discord and all upvote and post about steemit... or do it in stealth to avoid getting banned by reddit for brigading.. but come on breaking the reddit rules is so sweet and we can totally take over reddit with our numbers but in a polite way, maybe do a steem,it post once every other day..... hey man

hey man, in the words of @walden ,lets go, lets go mother fucker, huh?

U gonna sell some of ur steem monthsers to us huh? Overpriced SHEET

hah cant u imagine walden sayin that?

$0.00

#weappreciateyouyabapmatt #samemoon

contestkings (68) · 6 years ago (edited)

$0.11

dkid14 (62) · 6 years ago

Thanks for all the work @yabapmatt!!

$0.25

fbslo (70) · 6 years ago (edited)

Thank you :)

If I will have any time, maybe I will take a look into code to see if I can help.

$0.00

crystalhuman (64) · 6 years ago

I'm fairly certain you can use Chrome extensions on Firefox. Not positive if this one will work or not.

$0.00

fbslo (70) · 6 years ago

I tried, didn't work for me.

$0.00

crystalhuman (64) · 6 years ago

Dang, that sucks. I just bit the bullet and started using Chrome lol

$0.00

stoodkev (69) · 6 years ago

I ll optimize the extension for Firefox in the near future.

$0.03

jhon-2794 (25) · 6 years ago

ooj

$0.00

ackza (72) · 6 years ago

shouldnt you be using golos? :P dasvidonyetsk

$0.00

fbslo (70) · 6 years ago

Why?

Posted using Partiko Android

$0.00

stoodkev (69) · 6 years ago

Looking forward to see it live in condenser! Awesome job @eonwarped!
For Firefox users, optimizing the extension for your browser will be on my plate in the near future.
For Opera users, you can already use it but you ll need to install "Install Chrome extensions" on the Opera store first.

$0.85

themadcurator (67) · 6 years ago

ǝɹǝɥ sɐʍ ɹoʇɐɹnƆ pɐW ǝɥ┴

$0.39

7 votes

sn0n (60) · 6 years ago

Bahahaha

$0.00

shadyshady (49) · 6 years ago

thanks for great info

$0.04

beeyou (59) · 6 years ago

Adding keychain to my browser is still on my "to-do" list, so I couldn't add any meaningful comment to this post. I got as far as downloading the chrome browser weeks back, transferring my bookmark favorites over, and "saved" the rest for another day. Another day turned into another day and another day..but it is definitely on my list!

On a side note, Mello mentioned the meetup a couple weeks back and I saw part of it on the youtube video. I was there in spirit! He shared some exciting news. We will definitely look into the opportunity. I hope all is well with you!

$0.04

geronimo (56) · 6 years ago

I´ve tried to use the browser extension with steeve.app but I am getting problems. Is that an issue with steeve or the extension?

Bildschirmfoto 2019-01-21 um 18.04.31.png

$0.00

10 votes

yabapmatt (69) · 6 years ago

It looks like you just need to add the private memo key to keychain for your account. If you open up the extension and go into settings -> Manage Accounts you should be able to enter the key there.

_{Posted using Steeve, an AI-powered Steem interface}

$0.06

therealwolf (75) · 6 years ago

That's actually something I was wondering about - wouldn't it be simpler to authenticate via posting-key? Most people add at least their posting-key and just a few, who know what the memo key is, are adding that one as well, IMO.

$0.00

yabapmatt (69) · 6 years ago

Yea that's a good point. I'll reach out to the steeve team about that.

$0.06

eonwarped (68) · 6 years ago

The condenser uses posting key to sign a challenge message to the server so likely this can change the mechanism too. That's something the keychain can do now.

$0.03

ackza (72) · 6 years ago

Platform problems with the Steve App? Pepperidge Farm remembers... Try a lil Kerosine oil.

$0.00

masterthematrix (60) · 6 years ago

Keychain is not only the most secure App to access other Steem related sites. It also functions as a great Web Wallet as well. You can send / receive Steem to anyone or just claim your rewards and manage delegations.
I hope steemit.inc sees the great user potential here and will integrate Keychain soon!

$0.00

steevebot (52) · 6 years ago

This story was recommended by Steeve to its users and upvoted by one or more of them.

Check @steeveapp to learn more about Steeve, an AI-powered Steem interface.

$0.00

swapsteem (65) · 6 years ago

Does keychain support escrow transactions?

Posted using Partiko Android

$0.00

geronimo (56) · 6 years ago

is there any way how we can contribute/donate to this project?
This is all incredible work, thanks for doing it. @stoodkev @eonwarped and of course @yabapmatt

$0.00

yabapmatt (69) · 6 years ago

If you're a developer and want to help out, let me know! Otherwise I mentioned that @eonwarped has done all the work for the condenser PR on his own time/cost so I'm sure a donation to him to support this work would go a long way. @stoodkev, @aggroed, and I would just appreciate your support for our witnesses.

$0.00

angelinafx (79) · 6 years ago

Already approved !!!

$0.00

maurice1975 (33) · 6 years ago (edited)

Thanks! Any reason why Steem is becoming one of the few major blockchains without hardware (e.g. Ledger) support?? Is nobody interested? Scatter already supports EOS, Tron and ethereum..why not add Steem and be able to sign transaction with a Ledger?

$0.00

steem-ua (64) · 6 years ago

Hi @yabapmatt!

Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your UA account score is currently 8.317 which ranks you at #14 across all Steem accounts.
Your rank has dropped 1 places in the last three days (old rank 13).

In our last Algorithmic Curation Round, consisting of 240 contributions, your post is ranked at #1. Congratulations!

Evaluation of your UA score:

Your follower network is great!
The readers appreciate your great work!
Great user engagement! You rock!

Feel free to join our @steem-ua Discord server

$0.00

steem-plus (73) · 6 years ago

Hi, @yabapmatt!

You just got a 1.37% upvote from SteemPlus!
To get higher upvotes, earn more SteemPlus Points (SPP). On your Steemit wallet, check your SPP balance and click on "How to earn SPP?" to find out all the ways to earn.
If you're not using SteemPlus yet, please check our last posts in here to see the many ways in which SteemPlus can improve your Steem experience on Steemit and Busy.

$0.00

jeffjagoe (72) · 6 years ago

This would be a great addition for Steemit.com and a good sign of cooperation if Steemit Inc rolls through with this

Posted using Partiko iOS

$0.00

snapchatfollower (0) · 6 years ago

$0.00

Reveal Comment

luegenbaron (64) · 6 years ago

Great work! Hopefully you get some support :)

$0.00

leotrap (72) · 6 years ago

No doubt is a need.... 1+1

$0.00

myquotes (49) · 6 years ago

I like steemit, it's not like any other social network. Steemit gives knowledge and money.

Posted using Partiko Android

$0.00

ambr.global (50) · 6 years ago

Awesome, going to download!

$0.00

miguelcortez (25) · 6 years ago

very good

$0.00

ivanstrength (58) · 6 years ago (edited)

The development of Steemit.com needs to be turned over to the community. Steemit Inc is too slow in a fast paced industry.

$0.00

domantas966 (32) · 6 years ago

Interesting.

$0.00

helloroger (49) · 6 years ago (edited)

Yes, this is the question that most steemians worry about. The browsser is a good solution, though that would be uncertain if it might draw the bad guy's attention.

$0.00

fr3eze (68) · 6 years ago

100% support the Keychain project. IMO this is what the community truly need and this should be on one of the top priority in the dev list. Shame the company fail to see how crucial this component is. Keychain makes many DAPP on Steem possible and one of them are the Dice game that requires rapid-firing.

However, I think Keychain should provide a way for user to whitelist certain transaction so the repeated popup can be avoided. Matured crypto extension like Scatter support the whitelist feature so it would definitely enhance the experience of using it especially in a DAPP like dice game.

$0.00

stoodkev (69) · 6 years ago

This feature has already been implemented a while ago. You can whitelist a certain operation requested by a certain website. Only transactions using the active key cannot be whitelisted

$0.00

fr3eze (68) · 6 years ago

Active key transaction is exactly what I meant actually. What was the concern not to allow whitelisting transaction that requires actuve permission?

I understand user's fund maybe at stake and that might sounds like posting a risk to the real money. But at least provide an option for those who would like to whitelist that kind of operation? That would really helps the mass adoption of Steem especially in the DAPP like dice game. And that to me is the final form how Keychain should be like. Users get to customize it to their most convenience.

Posted using Partiko Android

$0.00

stoodkev (69) · 6 years ago

A website whitelisted to use active authority by a user could, if falling into wrong hands :

Instantly steal all of the user's liquid assets
Broadcast an account update that would change the private keys and therefore take control of the account
Initiate power down, etc.

I think the tradeoff between security and convenience is too big here, thats why we only authorize listing for actions requiring posting authority, since they don t have a direct impact on stake.

$0.00

fr3eze (68) · 6 years ago

the tradeoff between security and convenience is too big

I agree and they are all valid concerns. But you can still offer user the ability to decide whether they are willing to go for the tradeoff or not. Maybe the whitelisting process can be more hidden in the setting or put up a significant warning sign in the whitelist page for active authority. Option are tons.

$0.00

darline (25) · 6 years ago

👋

$0.00

leandrojuv (25) · 6 years ago

$0.00

arcange (73) · 6 years ago

Congratulations @yabapmatt!
Your post was mentioned in the Steem Hit Parade in the following category:

Pending payout - Ranked 2 with $ 170,5

$0.00

samuel-swinton (61) · 6 years ago

Seems like a step up in secure. Any thoughts on Steem 2fa?

Posted using Partiko Android

$0.00

daysiselena (66) · 6 years ago

Interesting information.

$0.00

vinetec (3) · 6 years ago

Thank you!

$0.00

gniksivart (67) · 6 years ago

Would be nice to filter only posts in English. Always looking for a way to explore new content on Steemit, but looks like most aren't in English.

$0.00

dpa-punch (50) · 6 years ago

Interesting, I always thought it was weird that some sites asked for private keys directly, I just never really understood why. This surely cleared it up a bit. I’ll look into getting keychain now.

$0.00

pennsif (79) · 6 years ago (edited)

This post has been included in the latest edition of SOS Daily News - a digest of all you need to know about the State of Steem.

Editor of the The State of Steem SoS Daily News.
Promoter of The State of Steem SoS Weekly Forums.
Editor of the weekly listing of steem radio shows, podcasts & social broadcasts.
Founder of the A Dollar A Day charitable giving project.

$0.00

nelfran38 (25) · 6 years ago

Muy bueno tu articulo de verdad me parece bastante interesante

$0.00

kabir88 (60) · 6 years ago

Did @ned or @elipowell have any comments on this?

$0.00

arafathsunny (48) · 6 years ago

Steemit's Security Values & How Steem Keychain Can Help,yes i agry with you

$0.00

vegeta (53) · 6 years ago

Is there any plans for a desktop version?

$0.00

princelouise (53) · 6 years ago

Thanks anyways for the updates still. It is worth sharing

$0.00

magicdice (64) · 6 years ago

Magic Dice has rewarded your post with a 14% upvote. Thanks for playing Magic Dice.

$0.00

javirid (56) · 6 years ago

Why is it so difficult for developers to begin with the standard API -WebExtensions- which works on every single modern browser -even Edge- and then customize it for each of them?

Posted using Partiko Android

$0.00

marki99 (54) · 6 years ago

Keychain is a necessity. Safety always comes first in crypto. We are a big target for hackers.

$0.00

shepz1 (71) · 6 years ago

Give my son back his money _ 5 hours ago Transfer 56.000 STEEM to smartmarket https://steemit.com/freedom/@shepz1/i-set-off-to-see-the-world-and-i-did-not-like-what-i-left-behin

Or!

$0.00

yabapmatt (69) · 6 years ago

I don't run or have any affiliation with smartmarket...I believe that is run by @therealwolf

$0.00

shepz1 (71) · 6 years ago

Thanks for the info, much appreciated.

$0.00

mstafford (67) · 6 years ago

Going to work on implementing this for my project -- Been having issues w/ SteemConnect anyways.

Is there a rough ETA on Firefox support?

$0.00

stoodkev (69) · 6 years ago

I'll get it working by this week or next , I'm on it already

$0.00

mstafford (67) · 6 years ago

Dope! You're a good man!

$0.00

stoodkev (69) · 6 years ago

Doing my best ;)

$0.00

snaxteam (62) · 6 years ago

Hello!

I am a community manager at Snax. We are trying to make public blockchain based on EOS node. Snax chain will provide transactions over social networks, token supply based on user social influence.

Snax as well as Steemit rewards its users for the content created, but Snax works as overlay solution over existing social networks (e.g. Twitter)

We have no ICO. We already have a testnet, mainnet will be launched this month, and we currently looking for great candidates for Block Producers like yourself. You can find out more about us at our website snax.one

If our project is interesting for you, please let me know by emailing me at [email protected]

Looking forward to hearing from you, and keep rocking this world!

$0.00

swapsteem (65) · 6 years ago

Hey

Posted using Partiko Messaging

$0.00

intrepidphotos (75) · 6 years ago

I would love to see this happen across all the DApps. Great initiative.

$0.00

darkflame (65) · 6 years ago

Awesome!

$0.00

ackza (72) · 6 years ago

@yabapmatt DUDE i just realized, if you sold a little USB dongle to hold your key like a little useful gimmick, I would buy it and many steemians would love it. it would bereally cool to have a keypad enabled hardware wallet for use with steem that could be as simple as a special doingle you needed to make keychain sign transactions... even if it was just a basic standard key fob usbkeychain encrypted usb key thingy..... and had a custom steem engraving or whatever, and worked with ru software, man thatd be legit...

$0.00