You are viewing a single comment's thread from:

RE: 20 SOLID REASONS TO STEEM on STEEMPEAK.COM

in #steempeak6 years ago (edited)

NO KEYS GIVEN TO STEEMPEAK... EVER

You will never input your keys into steempeak.com... all actions on the chain on the steempeak site are done via steemconnect.

Are you aware how SteemConnect works? Anyone using SteemConnect with your app, is delegating his posting authority to your app, and you can technically do any comment or voting for them.

If you really care about security, implement posting key login as soon as possible. If you don't and just wondered what to put in your article then I guess I'll never try your app

Sort:  

Sorry for the delay answering this. Unfortunately some of the features we created and some that we are planning requires our servers to have the token/key to operate on the blockchain.

I know that also without the posting key developers can always use the steemconnect token to broadcast votes or comments, but we NEED this in order to be able to let user schedule their post and have automatic upvote rules.

I also think that for a new application (like @steempeak) it's better to avoid storing the private keys, and much better to have the steemconnect tokens (that expire and can easily be revoked). I think most of the vote selling website do the same and also this is the same that steemauto do in order to be able to broadcast operation on behalf of the user.

If you know of an alternative method to do this please let me know and feel free to join our Discord channel ;)

If they have your posting key they can use your vote anyway. Of course having the active key allows for a lot more. Should steemconnect allow fine-grained control of what an app can do?

I'd rather never ever send my key on the network, and that includes the steemconnect domain. SteemIt and DTube manage all the keys locally inside your browser and nothing gets sent anywhere.

So SteemConnect has facility to use the posting key login ? Because In most of the apps, when it redirects to SteemConnect , it asks for the active key. Can you explain where it would need the active vs Posting key ? And is it on the app to decide that ?

Yes, the app decides which authorities to request from the user. It's totally possible to only allow the posting authority, or even LESS than that with SteemConnect!

The bad thing with SteemConnect, is that any app developer can use the authorities of users who logged in on their app. For example, I totally can upvote as all the people who logged in on DTube with SteemConnect. I will not do it, but I could.

Sometimes back I had raised this with dmania, and I was told, it was not possible, I wonder, why all the apps are not using this. And may be it could be restricted from SteemConnect as well, to force to use a posting key for apps.

Do you encrypt the stored key?

No. If we did we'd have to ask you for your decryption key on each new session or transaction. SteemIt doesn't encrypt it either.

As long as your computer is safe and everything is done client-side, what would be the purpose of encrypting it? Don't you keep your posting key unencrypted in your pc already?

We would LOVE for steemconnect to allow posting key for login!!
Does anyone know how to make that happen or get a hold of them.

Right now there is a work around though so it's not like it's impossible.
I use the work around when logged into @SteemPeak account and several contributors use it for my @photogames account.

So you'll be able to use steempeak.com with your posting key just not as easily as simple login.
I can look up that work around or summon @r00sj3 or @asgarth who knows how to do it better.

However with that said @heimindanger i would love to have a discussion with a few people about the option of direct posting key login. Of course the main developer @asgarth should be doing more of the talking than me. But I've been telling everyone to only use POSTING recently. Just wish it was easier to do with steemconnect.

BUT... best of worlds is to just find a way to do it easier with steemconnect.
But... there is a way.

If your dev wants some help, I can help. It's actually pretty easy. All the transactions are exactly the same in the code, only the login part is different, but I can show him how to verify a posting key and see if it matches the official one on the blockchain. I do it with SteemJS in DTube

P.S: Im on discord.gg/dtube as heimindanger

Yes please, I'm very keen to know how to do this.