RE: Steem Monsters Cartography Challenge! Create the World Map! 120 Booster Deck Contest!
Yes I agree with you that we shouldn't teach people to put keys in the browser at all. From that perspective it's not different than SteemConnect though. I also don't really like SC because I don't like having to give another account posting authority to use it.
The Utopian hack really made me think twice about using SC. I know we wouldn't be storing access tokens like what they were doing, but SC could get hacked and then the hackers would have posting access to all the steem monsters' players' accounts.
I think Vessel is the best option - and it is supported currently for purchases as I'm sure you've seen using my SC2-pay library (which is mis-named now that it supports other options than SC). Practically speaking though very few people use Vessel, especially the ones who don't know how to protect their keys.
The best option of all (in my opinion) would be to have a metamask-style browser extension for managing steem keys and signing transactions. That would be the best mix of security and user-experience (again in my opinion). I have talked to @jesta about this a couple of times but he doesn't seem too interested in it.
I would absolutely love for someone to build that though, and would definitely help fund and support that project.
Anyway - this was probably a much longer response than you were expecting, but the point is that I put a lot of thought into the authentication and I thought that using the private posting key on the client-side only was the option I preferred to use based on all of the above.
I've used Vessel every time when buying monsters, and I greatly appreciate the Vessel support.
I understand the concerns with SteemConnect but the way I look at it, the Utopian hack actually demonstrated the value of SteemConnect. Instead of all those posting keys needing to be reset, the SteemConnect OAuth tokens were revoked and no one had to change any keys. If SteemConnect itself ever got hacked, then Steemit could also be hacked. I figure we have to put trust somewhere and right now that's with the core Steemit, inc developers.
Right now, unfortunately, there's no easy way to ensure "This only happens in your browser and doesn't get sent to our servers". That's why I like Vessel. It makes that separation clear. A browser extension, to me, still feels a bit shady. I've never really trusted MetaMask. I wonder sometimes if those extensions are spying on pages or capturing key strokes... I don't like them running all the time in the background. I do agree they are more user friendly by far though.
No worries about the long reply. It's a really important discussion, IMO.
Keep up the great work.
I think we're mostly in agreement here. No method that involves entering private keys into a browser window is an ideal solution. I also agree that Vessel is a better solution from a security perspective than a browser extension, but it's definitely not better from a usability perspective when it comes to integration with websites (which is what the Steem blockchain is mostly all about). So in my opinion an open source browser extension would be the best of both worlds in that it would provide ease of use with Steem-based websites while also allowing the code to be reviewed and audited to ensure there's no shady business going on.
I would like to use vessel but when I click xdg-open from chrome, vessel never gets populated with the transaction. I wonder if this is because I installed vessel using its linux snap?
Check with @jesta on Discord or Steemchat or open an issue ticket on Github. I've never had a problem using it.