You are viewing a single comment's thread from:

RE: Steemit's Security Values & How Steem Keychain Can Help

in #steemit6 years ago

I thought that Steemit.com don't store keys and it's client side app.

That's right, they don't store your keys and everything is done on the client side. The whole point is that since you're putting your key into a site that they control, they can store your keys, and send them to the server-side, but we have to trust that they don't. Even if I trust Steemit, Inc, what if someone hacks into the server hosting steemit.com and edits the code for the log in page to send all keys entered to their server? Thousands of keys (many likely master passwords) would be stolen very quickly.

To answer your questions:

  1. How are my keys stored in keycahin?

Keys are stored locally, encrypted, in the extension. When using keychain, a website will request that the extension sign and broadcast transactions for it, so that the website never gets access to your keys. If you're concerned that we can access your keys since we created the extension, or that the account publishing the extension could be hacked, that is a valid concern. In that case you can download the extension code from GitHub and install it locally.

  1. It's been 3 months and no Firefox support yet? When do you plan to do it?

Sorry we're not moving as fast as you would like here...We're spending a lot of time and money developing this free tool to help improve and grow the Steem platform. If you would like things to move faster we would be happy for you to pitch in and help out!

Posted using Steeve, an AI-powered Steem interface

Sort:  

Yes, you're right, but here's why Keychain is still a better solution (IMO):

  1. It's MUCH easier to install and run the Keychain extension locally than it is to do the same for Condenser; and
  2. If you use the Keychain extension then you can securely use your keys on ANY Steem-based website that supports Keychain (which will hopefully be almost all of them in the near future) whereas you can't realistically install and run every Steem-based website you want to use locally.
  3. It avoids copy/paste errors. I know I've forgotten that I had a private key copied to my clipboard from logging into a Steem-based site and accidentally pasted it somewhere it wasn't supposed to go. Luckily I never published it or anything, but I know people who have and who lost funds because of it.

Lastly, aside from the security aspects, it's a really useful tool, especially if you manage multiple Steem accounts. At this point I couldn't imagine using Steem without it.

Is there a way to verify that the code that I install from the Chrome Web Store is the same as on GitHub?

When you install an extension from the Chrome web store, it simply downloads the files and drops them into a folder for Chrome to access. So yes, you can verify by running a diff on the folder vs. the github. Or download directly from github, skipping the web store.

Thank you for your conversation.

Yaba, how about you spend your time doing something for steem that we really need, if you have all this energy, like running and paying for an instagram campaign to promote steem, and organzie your followers with a trending post to register to post on reddit with you maybe meet in a discord and all upvote and post about steemit... or do it in stealth to avoid getting banned by reddit for brigading.. but come on breaking the reddit rules is so sweet and we can totally take over reddit with our numbers but in a polite way, maybe do a steem,it post once every other day..... hey man

hey man, in the words of @walden ,lets go, lets go mother fucker, huh?

U gonna sell some of ur steem monthsers to us huh? Overpriced SHEET

hah cant u imagine walden sayin that?

Thanks for all the work @yabapmatt!!

Thank you :)

If I will have any time, maybe I will take a look into code to see if I can help.