Hate putting private keys into websites? Introducing Steem Keychain!

in #steem6 years ago

One thing that has bothered me since I started using Steem over a year ago, is that every single web app requires you to enter your private key into the website to use it.

The common response to that is that it's not a big deal because most sites only require your posting key, but I disagree. Sure you and I may know how to use our posting key but I'm guessing that a vast majority of Steem users just use their master password.

As a blockchain platform trying to cater more to the general public I don't think it's ok to put the burden of understanding the different keys and levels of security on the users. The tools and services should be built such that security is the default.

Additionally, most web apps built on Steem use Steem Connect, which requires you to put your active key into their website and then uses that to grant posting authority on your account to an account they control.

What I commonly hear regarding steemit.com or Steem Connect is that it's ok to put your active key into those sites because they are run by Steemit, Inc. Even if I were to fully trust Steemit, Inc not to purposely steal my keys, anyone can be hacked. If the servers hosting steemit.com or Steem Connect were hacked, I expect that thousands of keys would be stolen, and accounts would be emptied of liquid funds, within a very short period of time.

The last, and final option, is to use the Vessel desktop wallet software. This is actually a great option from a security standpoint, but from an ease of use standpoint it's not great, and I find it very unlikely that all but a small group of power users will use it.

So, for a long time I just accepted that that's the way Steem is, until one day when I actually used an Ethereum dApp. Despite it being slow and costing fees, I noticed that at no point did I have to enter my wallet private key into the website. The website simply called the Metamask browser extension to sign and broadcast the transactions for it.

Once I realized this, I couldn't understand why on earth there wasn't something like Metamask for Steem. Not only would it completely resolve the issue of having to put private keys into websites, but there's also so much more you could do with it on Steem than on Ethereum (seeing as Steem is specifically built for websites to interact with it).

At this point I was already knee deep in Steem Monsters, but I felt that this was an absolute necessity for the Steem platform so I talked about it with @aggroed. He agreed that this was an important project and wanted to help make it reality. Since I didn't have time to build it myself, we decided that Steem Monsters should fund its development.

So Aggroed and I got to work writing up specs for the extension, what features it should have, creating wireframe designs, etc. Then we got the amazing @nateaguila to do the graphics and UI design, and finally got Mr. Steem Plus himself, @stoodkev to do the bulk of the development.

Introducing the Steem Keychain Chrome Browser Extension

Finally, the Steem Keychain Chrome browser extension was born! I have been using it actively while it has been in development for the last couple of months, along with Aggroed and some other people we brought in to help test it, and I can say with some certainty that this will change the way you interact on the Steem blockchain.

Take a look at the following video to see what I mean:

Using the extension I was able to easily view info and make transactions from multiple accounts, and interact with the Steem Monsters web app without ever compromising any of my keys!

Currently Steem Monsters and Peak Monsters support the Steem Keychain extension, and Steem Peak is working on adding support as well. My hope is that one day all Steem-based sites, dare I say even steemit.com, will support the extension as well, and the days of putting keys into websites will be over.

Current Features

The Steem Keychain extension currently includes the following features:

  • Store an unlimited number of Steem account keys, encrypted with AES
  • Easily view balances, transaction history, voting mana, and resource credits for all of your accounts
  • Send STEEM and SBD transfers right from the extension
  • Securely interact with Steem-based websites that have integrated with Steem Keychain
  • Manage transaction confirmation preferences by account and by website
  • Manage automatic lock settings to lock when the browser is closed, the device is locked, or after the browser is idle for a specified period of time

Website Integration Features

Websites can currently request the Steem Keychain extension to perform the following functions / broadcast operations (note that by default, users will have to confirm any transactions requested by a website, but they have the option to turn off the confirmations for specific operations and websites as desired):

  • Send a handshake to make sure the extension is installed and running
  • Decrypt a message encrypted by a Steem account private key (commonly used for "logging in")
  • Post a comment (top level or reply) including a "comment_options" transaction for beneficiaries
  • Broadcast a vote
  • Broadcast a custom JSON operation
  • Send a transfer
  • Broadcast a delegation operation

New Features Coming Soon™

  • Power up / down
  • Manage delegations
  • Manage witness votes
  • Claim pending reward balances
  • Support for Firefox and other browsers

Integrating with Steem Keychain

The code for the extension is all open source and available on Github here: https://github.com/MattyIce/steem-keychain

The readme contains instructions for Steem-based websites to integrate with the extension. If you need any help or have any questions / suggestions for integrating Steem Keychain into your site, please feel free to contact @yabapmatt or @stoodkev on Discord.

The Broader Mission

As you probably know, @aggroed, @stoodkev, and myself are Steem Witnesses. I can only speak for myself here, but I suspect that both @aggroed and @stoodkev have very similar thoughts and goals.

Beyond the standard work that witnesses are expected to do (which was brought into the forefront recently with the HF20 release), I think that each witness should have an overall goal, or mission, for the future of the Steem blockchain that they are primarily working towards.

For me, that mission is bringing more and varied apps to the Steem blockchain. I plan to go into this in more detail in my next witness update post, for which I am long overdue, but I am mentioning it here because I feel that the Steem Keychain extension is a critical component to that mission.

I am talking with some Ethereum app developers who are considering porting their apps to Steem, and they told me that almost all of their users use Metamask to interact with their apps and they were surprised to hear that Steem doesn't have something similar. Well now it does.

If you also support this mission, I ask that you consider voting for myself, @aggroed, and @stoodkev as Steem witness (and also support @nateaguila's posts as he is a talented and valuable contributor to this project and the Steem platform as a whole).

In Conclusion

Please keep in mind that this is a first version of a brand new product. There will likely be some bugs or other issues that we didn't catch during testing. We welcome help and constructive feedback from the community to improve the product and work to achieve the stated goal of completely eliminating the need to put private keys into websites.

In case you missed it, here is the direct link to download and install the extension in Chrome: https://chrome.google.com/webstore/detail/steem-keychain/lkcjlnjfpbikmcmbachjpdbijejflpcm We would also appreciate you taking the time to rate the app in the Chrome web store to help increase its visibility in searches.

Be free and Steem on!
@yabapmatt

Sort:  

So, would you recommend generating new passes since steem-connect and steemit Inc. server hold our keys on their servers? Thus generating new passes would allow greater safety since even if steem connect and steemit inc get hacked, it wouldn't matter. Thus making the keychain more effective.

Also, does send work with #privacy send?

I'm pretty sure that they do not store keys and only give a specific account a authentification to post under your name, even if they get hacked, nothing should happen, if you remove authentificated accounts. Of course, if hacked, it could be used to phish newly entered keys.

Yes, that's what I thought. Thanks for the confirm.

Definitely, but where will you post from? Steem and Busy haven't implemented this extension yet. When you find a place to post from and do operations from that accepts the plugin, then reset the passwords.

Posted using Partiko Android

I believe they will be implenting the key integration soon.

It would make sense, but at least Steemit isn't known for quick adjustments. However, since they're open source, I would as well expect for people to propose the changes by themselves. Do you have information regarding the current development status?

I think @yabapmatt has the most details on such updates. If you follow him or @aggroed, his partner; news of new updates should be coming out.

Thank you for your work on this and I sure appreciate that it offers a faster and simpler option. I'm not technical, so I don't understand a lot of these things, but my understanding is that browser extensions are not really that secure either. I've always been told it is kind of sketchy to use your password with an extension. Am I wrong there?

This is an important conversation so thank you for bringing it up. As far as I know the security concerns around browser extensions primarily come from fake extensions being listed in the stores that impersonate real ones to steal keys. As long as you are careful to only install and use the legitimate version at the link i shared above there should be no security concern.

I think the fact that Metamask has been widely used for storing Ethereum private keys for a long time now shows that browser extensions can be a secure and user-friendly way to transact on blockchains, and we have built Steem Keychain to work as similarly to Metamask as possible.

With extensions you are placing a large amount of trust in the developer and the codebase. For example, the extension requires permission to:

Read and change all your data on the websites you visit

Hence, a malicious developer could not only steal your Steem credentials but possibly even other types of personal content.

I happen to know @yabapmatt is not malicious. However, there is still the possibility that his account gets hacked and a malicious version of the extension is released to the Chrome store. I'm not sure how common this type of attack is and what sort of screening extensions undergo to prevent this.

So in summary, browser extensions can be secure, as if implemented properly they perform all sensitive tasks client-side, which is good, but also can easily leak sensitive data should they be poorly engineered or created/hijacked by an attacker. Please add to my understanding if it's incomplete.

You have a ability to download the extension to your harddrive and tell Chrome to load it locally. Your copy of the extension would then be updated only when you update the code manually

And how do you download the extension to local HD?

Hi @haejin

The following instructions have been written for a Mac computer, but for a Windows computer, it's very similar:

  • Go to the Steem Keychain GIT repository: https://github.com/MattyIce/steem-keychain
  • Click on the "Clone or Download" green button
  • Select "Download ZIP"
  • Once the ZIP file download successfully, unzip it somewhere on your local HD. For the purpose of this mini-guide, I will assume you have unzipped it under Documents/steem-keychain-master
  • Now, launch Chrome and in the address bar, type chrome://extensions
  • On the top right of the screen, enable the "Developer mode"
  • Now you have three new button showing at the top left, click on "Load unpacked"
  • Browse to Documents
  • click on the folder steem-keychain-master
  • click on the "Select button"
  • You should now see the extension appearing on the screen

To upgrade you will have to download and unzip again and overwrite the files on your local harddrive then go back to chrome://extensions and click the circular arrow icon to reload the extension. Verify its version number to confirm the upgrade.

This is what Chrome extension developers do to test their extensions before uploading it to the Chrome Web Store.

Thanks! Very helpful!
Would an upgrade wipe out prior entered keys?
If one had used steemconnect or entered keys via cop paste in the past, should new keys be generated for the Key Chain; in the event steemconnect or steemit inc. get hacked?

An upgrade should not wipe the entered keys if you don’t remove the extension prior to the upgrade. I have not checked how the extension stores the keys but beware when you clear the browser’s cache as it might also clear the keys depending on the cache clearing options you checked. After checking the extension and testing on another computer, it seems that clearing cache does not clear your keys from the extension, to remove all store keys, you would need to remove the extension itself.

To my knowledge, SteemConnect (from v2) does not store your private keys, it uses you active key to grant posting authority to the dapps that was using SteemConnect. The key is not needed later on when posting or upvoting. The private key is still requested for each transfer or settings request. Utopian got hacked in the past, the hacker could not retrieve the keys because there was nothing to retrieve, they could only use the SteemConnect token to perform the upvotes. If SteemConnect get hacked, just revoke your tokens.

However, if you want to be 100% you have not leaked your keys somehow then yes, go regenerate them. I still recommend you kept your owner key somewhere else safe.

Posted using Partiko iOS

Do you develop chrome extensions?

Posted using Partiko Android

I do occasionally

I wanna :D
SoonTM

All good, valid points. There's really no situation where it's completely impossible for keys to ever get stolen. I will say that the extension purposely never stores the owner key or master password for accounts, so if there were to ever be a hack, while that would certainly be bad as active keys and liquid funds could be stolen, it's a much easier situation to recover from since you can just change your keys and not have to go through the account recovery process.

I believe this is still more secure than the system being used now where if any of the sites into which people are putting their keys are hacked, many master passwords will be stolen.

Much more secure indeed in this era of middlemen. I just wish browsers had a much heavier emphasis on security in order to facilitate these tasks with the biggest convenience:security ratio.

Posted using Partiko Android

You are completely right. The safest way is compiling the extension yourself as has been explained elsewhere on this thread.

Posted using Partiko Android

Will it also be used for SMTs like metamask allows for erc20 tokens?

Posted using Partiko Android

Absolutely!

Same worries for me, i wonder if other extensions can see what you are doing if you granted them permissions like "Read all actions, websites, etc.."

Posted using Partiko Android

They definitely can. That's why you have to limit your extension usage and use only trusted and essential ones.

Posted using Partiko Android

The risk exists, indeed, no matter how small. Safest is to make an effort with your own security measures, but this extension sure is more secure than most things we normally use and makes it mal very easy and convenient.

Posted using Partiko Android

We look forward to implementing keychain on https://steempeak.com we are big believers in it.

PEAKMONSTERS USAGE
Our partner site https://peakmonsters.com has already been using Keychain for over a month now and it's been a raging success. Specially with people who buy cards frequently it makes it much easier and we believe much safer. (unless you often walk away from your laptop in public places)

Steempeak is really becoming the most dynamic STEEM UI out there, power on!

@jongolson, if you catch this, please consider mentioning Steempeak in a Savvy if you haven't already (I have not unlocked all videos yet -- which is another issue for testing, but more on that later).

Why Steem UI? I can't use normal Steem from there. Though the cards are based on Steem. 🤔

Posted using Partiko Android

Ah, perhaps you're confusing peakmonsters.com with steempeak.com itself? Steempeak is used for blogging. The most dynamic STEEM UI "for blogging" is what I should have said :)

for sure. it’s planned absolutely. i just don’t have a working knowledge of it yet. but will be diving in much more. thanks for the recommendation

Posted using Partiko iOS

I just reviewed @steempeak in detail and really loved it. Someone really put a lot of effort in this project but it still seems undervalued. It would be really nice addition if you add this keychain on it and thus give users almost a perfect experience. Good luck!

Love hearing that!

I want all projects to use this key chain!

Posted using Partiko Android

I always thought that Steempeak was an alternate frontend for Steem monsters. Do they have different origins or are they branches of the same thing?

Posted using Partiko Android

https://steempeak.com = an interface/frontend for steem.

https://peakmonsters.com = A bulk Market for SteemMonsters with some other data insights

Would there be a way to auto populate the plugin data after account registration? This would make it really easy for normies to get plugged into the steem blockchain without even touching a key lol. Just show them a page to print their keys.

That is a fantastic idea!

Awesome, though this might worry some people about the safety of their usage because they will see that websites and extensions are not isolated but can take from each other without explicit authorisation.

Posted using Partiko Android

What kind of things do you invent, Mr inventor?

Posted using Partiko Android

Hey, guys, it's really cool that you developed this extension. So far I've always stored everything as a custom text field in my password store, but it never worked that way.
However, it would be very cool if you could release it as your own Firefox extension. There is Chrome Store Foxified, but I don't trust it that much.
Thxalot,
JanSe

Aaaaaa I always do the same! I open a Keepass document and the custom description has my posting and active and memo and owner keys.

Posted using Partiko Android

I'm also curious to know if the extension will be available on Firefox as well?
Great dev and contributions though, thank you @yabapmatt, @aggroed, @stoodkev and @nateaguila, fantastic work!
Cheers

I'm sure it will come but much later.

Posted using Partiko Android

Yabapmatt, for sure 100% fantastic but i have a fear with these extensions. Is there any possibility that another extension can see what you are doing? Some of them are granted "Read all actions, websites, etc.?". As a developper, can you tell us it is 100% safe?

Posted using Partiko Android

This is actually yet another reason why using an extension to store your keys is better than putting them into websites. As far as I know extensions cannot access any data stored by other extensions, but they can access data on websites, as you pointed out. So if you copy/paste your key into a website like steemit.com or Steem Connect, then a malicious extension could steal it, but a malicious extension cannot steal it from the Steem Keychain extension.

I get it, so true! Gratefull thanks for replying. We still have to be carefull off course, another extension could do phishing, mimic same behaviour and one step up in the OS hierarchy, any process can read all our keystrokes but yes, it is better than anyhing we have now and difficult to do better, thumbs up @yabapmatt, thanks, thanks, thanks!

Posted using Partiko Android

Yes, phishing is always the biggest problem, so you must always be very careful about that!

Great addition. Still. I trust my savings wallet more then anything. 😀 goes and hides more stuff there

Maybe we need some instruction on how to download for the non-technical steemians.

Open Chrome
Click this link: https://chrome.google.com/webstore/detail/steem-keychain/lkcjlnjfpbikmcmbachjpdbijejflpcm
click install
Shows up as a little keychain icon in the top right. Click the icon to use it.
It will ask for master password to get your other keys but doesn't store the master password.

Thank you very much.

This will be of a great help to many steemians.

I don't trust Google stuff. Is there a way of using it on Tor browser?

Really great work here @yabapmatt. Thank you

I remember you and aggroed mentioning the wallet months ago on the msp show. Glad to see it has been tested and ready for use! Only downside for me, now I have to use Chrome 😕 .

Thank you (and team) for this awesome feature. The few seconds spent looking for passwords can now be better utilized battling. ;) In all seriousness, you've spent an incredible amount of time developing and in this case, writing out the specs for Steem Keychain.

Having spent countless hours reading and writing simple technical specs myself at work, I can attest that it takes considerable time to write down all the details so others would be able to understand. So thank you for gathering the methodology so it can be coded into this finished product.

Only downside for me, now I have to use Chrome 😕 .

You can also use Chromium, which is completely open source. Chrome contains some proprietary add-ons, but nothing I've found that I actually use.

Will this work with the Brave browser? I think that's the one we should all be using eventually

Apparently in the current version of Brave installing Chrome extensions is a bit wonky but this should improve with the upcoming Brave 1.0 release. More info in this Reddit post.

If you use adapters you have to trust the adapter too, not only the original application. If it's independent, sometimes cross platform opens the doors to vulnerabilities. You should be careful and use things in their intended environments unless you understand the technicalities of each change.

Posted using Partiko Android

Why do you think we'll have to use that browser in the future?

Posted using Partiko Android

We won't have to use it but I'd rather use a browser that can reward content producers and pays me for use of my data.

Posted using Partiko Android

Issue is more laziness with having to re-bookmark and install ad blocker, etc. :)

I should be moving over to chrome or chromium anyway since my GTM web sessions never want to work on firefox. Steem Keychain is a good reason to take that step. Thanks @dhimmel! I'll take a look at Chromium.

What is gtm?

Posted using Partiko Android

oh, the GoToMeeting online software. We use it for conference calls and screen sharing, but it doesn't want to connect on my firefox when I work from home. It's fine with chrome though, so all the more reasons to switch.

Is it better than Skype and Discord or is it just used because of corporate convention?

The corps I've been with use GTM and WebEx for online meetings. It's convenient for sharing your screen with others, especially for a training or tutorial session.

Discord and Skype is more catered for social media; DM, voice chats, video chat, but I don't think it supports screen sharing. Some companies use skype internally to communicate with each other, but when it's a conference call with third-parties, I mainly see GTM or WebEx being used.

(They both support screen sharing)

Seems like these are apps specifically designed for corporate use and I assume they're easy enough to use for the average user to approach. I imagine that this is tied to dedicated IT services and other corporate support that makes them attractive. I'd have to test them to see if they're better. Skype was particularly heavy. I've seen easier, faster and more effective screen-sharing software. I haven't tried Discord's but I read somewhere that it does have this functionality.

Hmmmm. I haven't seen a reason to switch. Is Chromium any better in any respect? It still requires a Google account to sync and things like that, so it's still very dependent on proprietary services.

Posted using Partiko Android

I switched to Chrome a while ago and I really like it. The hardest part wasn't my bookmarks because they synced. It was getting accustomed to things being in different places and behaving in unexpected ways. But now I'm accustomed so everything is fine.

I love that memory in use is better compartmentalised, so if you close a tab, you recover the ram allocated to it. Firefox is much more wasteful with your resources.

Posted using Partiko Android

I used both Chrome and Firefox years ago but can't remember why I stuck with firefox. Thanks for the input. I haven't had a chance to move over yet but it is on my list!

I've always been switching because both are really great! I preferred Firefox a few months ago because it was much lighter than Chrome, but then it started being slower, so I switched to the then-faster Chrome, and now it's the inverse. I don't know. Software is crazy sometimes.

I think that was likely my reasoning too. I remember it was chrome that was faster, then it became mozilla. Now who knows; I don't have the time to surf as I used to before. Definitely crazy softwares!

Hi, I wrote a post a week or so ago on how losing between 0-100% of curation rewards to the pool when you upvote a comment within the 15 minute window is an annoyance if you want to upvote comments in a live comment thread. Very often, I write something and get a reply back almost immediately (or in a time much, much shorter than 15 minutes). I'm big on monetizing engagement. But under the current rules, my upvoting immediately means my rewards go back to the pool instead of my conversation partner. That sucks but is easily remedied with 15 minute or so delay in broadcasting upvotes on a comment. Too often I forget to come back to upvote comments in conversations that I've had. It's also annoying to to have to wait and go back to a conversation to upvote. It's even more annoying to effectively lose part of your SP by upvoting immediately.

If websites are to integrate the Steem Keychain in such a way as to have it not only sign transactions but broadcast them on their behalf, I wonder if it would be a good idea to implement an optional 15-minute delay on Steem Keychain?

Wow so immediately upvoting a comment is essentially nothing but a waste of voting power?

Seems like a great UI feature would then be to have a time slider on the upvote menu in addition to the power slider. Therefore, I could upvote at 55% power in 13 minutes.

It's only the curation reward portion that gets burned (max 25% of the vote value if the vote is immediate). The other 75% still goes to the author as intended.

Will we be able to do custom transactions directly from the extension? I want do operations without middlemen. Steem-plus takes 5% mandatory beneficiaries if you launch beneficiaries from their extension. I want to create a more flexible tool but if you're doing it in your extension I can calm down about that.

Posted using Partiko Android

It's a waste of curation rewards. Let's say you exchange comments with someone and upvote each other's comments immediately. Before HF20, neither of you would get curation rewards for the comments because the author (your conversation partner) would get them. Now the curation rewards go back to the pool. Neither you nor your conversation partner get any curation rewards. Easily fixed with no hardfork by delaying the broadcasting of the upvote by 15 minutes, in which case the upvoter gets all the curation rewards.

Seems strange to implement that, dunno why you want people to burn things for voting too early. Is this explained somewhere?

Posted using Partiko Android

Before HF20, many authors would upvote their own posts immediately in order to minimize the curators' cut. Now that curation rewards from early upvoting go back to the pool instead of the author, immediate self-upvoting has become a loss-making strategy.

Posted using Partiko Android

Hmm, I now vote at 12min because most of the votes start coming at 13min. Am I breaking something? 😭

Posted using Partiko Android

You're doing the right thing by frontrunning at 12 min if what you're frontrunning is big.

Posted using Partiko Android