Steemit's Security Values & How Steem Keychain Can Help
There have been a whole bunch of updates made to the Steem Keychain browser extension since it's initial launch three months ago, and I sincerely apologize for not having posted about them in all this time.
Most of you have hopefully already seen the updates in the extension anyway, so please show your appreciation to @stoodkev who is the primary developer responsible for it.
In any case, I promise I will post about all of the new and upcoming features soon, but first I wanted to talk about something in SteemIt, Inc's recently published Mission, Vision, and Values statement which you can read here: https://steemit.com/about.html
Under the "Security" section, which is one of the Values, it says the following (emphasis mine):
This principle has led us to preferred use of client-side signing for cryptocurrency use on steemit.com, which means all transactions are pushed by the user while Steemit, Inc. never has access to, nor sees the user’s private keys
This statement immediately jumped out at me because it is technically not true. Steemit.com, Steem Connect, and many other steem-based sites require you to enter your private key into a text field on the website to log in and use the site. This means that the site operator does have access to your private key. We just have to trust that they do not access it, and we have to trust that the servers hosting the website have not been compromised.
This is the exact reason that the Steem Keychain browser extension was created. It allows websites to request that the extension sign and broadcast transactions for them, so that the user never has to enter their private keys into the site directly. This means that even with a malicious site operator, or a compromised server, your keys are safe.
@eonwarped has generously donated his time to integrate the Steem Keychain extension into the condenser code that runs steemit.com and has submitted a pull request to merge that code into the main condenser code repository so that it can be put live on steemit.com. You can try out a version of condenser with Steem Keychain integration right now at https://cryptoempirebot.com which @eonwarped is hosting.
Many people that I speak to about the Steem platform, who are more familiar with using apps on other blockchain platforms such as Ethereum, balk at the concept of having to put your private key into a website, and cannot believe that's the way things are done here. It's great that we can now tell them that they can use the Steem Keychain extension instead, which alleviates their concerns, but unfortunately it is still not integrated into many Steem-based sites, including, and most importantly, steemit.com.
If Steemit, Inc really does value security, I would strongly urge them to work with us to get the pull request merged and add Steem Keychain support to steemit.com. If the community also agrees, @aggroed and I would appreciate your support by voicing your opinion to try to make this happen.
In the meantime, I would encourage all of you to check out https://steeve.app which is a fantastic front-end for the Steem blockchain and also includes full Steem Keychain support.
For those of you not familiar with the Steem Keychain extension, you can read about it in our introductory post, and download it for the Google Chrome or Brave web browsers here (Firefox and Opera support coming soon).
Why you always sleep not post
Magic Dice has rewarded your post with a 66% upvote. Thanks for playing Magic Dice.
I thought that Steemit.com don't store keys and it's client side app.
I have few questions:
Posted using Partiko Android
It is a client side app. The difference between keychain and what Condenser (Steemit.com) does is that in Condenser the signing code is sent to the client via http, and executed client side. In Keychain the signing code is built into a browser extension. With the code in a http web response, the server could potentially serve malicious code which reads your keys and sends them to the server. It would even be possible to do this selectively. With a browser extension, malicious code would have to be embedded in an update for the extension, and it would likely be quickly detected by the community. Thus having the code which handles keys only in a browser extension is safer than allowing a web app to handle your keys directly, even if it is generally only done client side.
Thank you for explanation :)
That's right, they don't store your keys and everything is done on the client side. The whole point is that since you're putting your key into a site that they control, they can store your keys, and send them to the server-side, but we have to trust that they don't. Even if I trust Steemit, Inc, what if someone hacks into the server hosting steemit.com and edits the code for the log in page to send all keys entered to their server? Thousands of keys (many likely master passwords) would be stolen very quickly.
To answer your questions:
Keys are stored locally, encrypted, in the extension. When using keychain, a website will request that the extension sign and broadcast transactions for it, so that the website never gets access to your keys. If you're concerned that we can access your keys since we created the extension, or that the account publishing the extension could be hacked, that is a valid concern. In that case you can download the extension code from GitHub and install it locally.
Sorry we're not moving as fast as you would like here...We're spending a lot of time and money developing this free tool to help improve and grow the Steem platform. If you would like things to move faster we would be happy for you to pitch in and help out!
Posted using Steeve, an AI-powered Steem interface
Yes, you're right, but here's why Keychain is still a better solution (IMO):
Lastly, aside from the security aspects, it's a really useful tool, especially if you manage multiple Steem accounts. At this point I couldn't imagine using Steem without it.
When you install an extension from the Chrome web store, it simply downloads the files and drops them into a folder for Chrome to access. So yes, you can verify by running a diff on the folder vs. the github. Or download directly from github, skipping the web store.
Thank you for your conversation.
Yaba, how about you spend your time doing something for steem that we really need, if you have all this energy, like running and paying for an instagram campaign to promote steem, and organzie your followers with a trending post to register to post on reddit with you maybe meet in a discord and all upvote and post about steemit... or do it in stealth to avoid getting banned by reddit for brigading.. but come on breaking the reddit rules is so sweet and we can totally take over reddit with our numbers but in a polite way, maybe do a steem,it post once every other day..... hey man
hey man, in the words of @walden ,lets go, lets go mother fucker, huh?
U gonna sell some of ur steem monthsers to us huh? Overpriced SHEET
hah cant u imagine walden sayin that?
#weappreciateyouyabapmatt #samemoon
Thanks for all the work @yabapmatt!!
Thank you :)
If I will have any time, maybe I will take a look into code to see if I can help.
I'm fairly certain you can use Chrome extensions on Firefox. Not positive if this one will work or not.
I tried, didn't work for me.
Dang, that sucks. I just bit the bullet and started using Chrome lol
I ll optimize the extension for Firefox in the near future.
ooj
shouldnt you be using golos? :P dasvidonyetsk
Why?
Posted using Partiko Android
Looking forward to see it live in condenser! Awesome job @eonwarped!
For Firefox users, optimizing the extension for your browser will be on my plate in the near future.
For Opera users, you can already use it but you ll need to install "Install Chrome extensions" on the Opera store first.
ǝɹǝɥ sɐʍ ɹoʇɐɹnƆ pɐW ǝɥ┴
Bahahaha
thanks for great info
Adding keychain to my browser is still on my "to-do" list, so I couldn't add any meaningful comment to this post. I got as far as downloading the chrome browser weeks back, transferring my bookmark favorites over, and "saved" the rest for another day. Another day turned into another day and another day..but it is definitely on my list!
On a side note, Mello mentioned the meetup a couple weeks back and I saw part of it on the youtube video. I was there in spirit! He shared some exciting news. We will definitely look into the opportunity. I hope all is well with you!
I´ve tried to use the browser extension with steeve.app but I am getting problems. Is that an issue with steeve or the extension?
It looks like you just need to add the private memo key to keychain for your account. If you open up the extension and go into settings -> Manage Accounts you should be able to enter the key there.
Posted using Steeve, an AI-powered Steem interface
That's actually something I was wondering about - wouldn't it be simpler to authenticate via posting-key? Most people add at least their posting-key and just a few, who know what the memo key is, are adding that one as well, IMO.
Yea that's a good point. I'll reach out to the steeve team about that.
The condenser uses posting key to sign a challenge message to the server so likely this can change the mechanism too. That's something the keychain can do now.
Platform problems with the Steve App? Pepperidge Farm remembers... Try a lil Kerosine oil.
Keychain is not only the most secure App to access other Steem related sites. It also functions as a great Web Wallet as well. You can send / receive Steem to anyone or just claim your rewards and manage delegations.
I hope steemit.inc sees the great user potential here and will integrate Keychain soon!
This story was recommended by Steeve to its users and upvoted by one or more of them.
Check @steeveapp to learn more about Steeve, an AI-powered Steem interface.
Does keychain support escrow transactions?
Posted using Partiko Android
is there any way how we can contribute/donate to this project?
This is all incredible work, thanks for doing it. @stoodkev @eonwarped and of course @yabapmatt
If you're a developer and want to help out, let me know! Otherwise I mentioned that @eonwarped has done all the work for the condenser PR on his own time/cost so I'm sure a donation to him to support this work would go a long way. @stoodkev, @aggroed, and I would just appreciate your support for our witnesses.
Already approved !!!
Thanks! Any reason why Steem is becoming one of the few major blockchains without hardware (e.g. Ledger) support?? Is nobody interested? Scatter already supports EOS, Tron and ethereum..why not add Steem and be able to sign transaction with a Ledger?
Hi @yabapmatt!
Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your UA account score is currently 8.317 which ranks you at #14 across all Steem accounts.
Your rank has dropped 1 places in the last three days (old rank 13).
In our last Algorithmic Curation Round, consisting of 240 contributions, your post is ranked at #1. Congratulations!
Evaluation of your UA score:
Feel free to join our @steem-ua Discord server
Hi, @yabapmatt!
You just got a 1.37% upvote from SteemPlus!
To get higher upvotes, earn more SteemPlus Points (SPP). On your Steemit wallet, check your SPP balance and click on "How to earn SPP?" to find out all the ways to earn.
If you're not using SteemPlus yet, please check our last posts in here to see the many ways in which SteemPlus can improve your Steem experience on Steemit and Busy.
This would be a great addition for Steemit.com and a good sign of cooperation if Steemit Inc rolls through with this
Posted using Partiko iOS
Great work! Hopefully you get some support :)
No doubt is a need.... 1+1
I would love to see this happen across all the DApps. Great initiative.
Going to work on implementing this for my project -- Been having issues w/ SteemConnect anyways.
Is there a rough ETA on Firefox support?
I'll get it working by this week or next , I'm on it already
Dope! You're a good man!
Doing my best ;)
Keychain is a necessity. Safety always comes first in crypto. We are a big target for hackers.
I like steemit, it's not like any other social network. Steemit gives knowledge and money.
Posted using Partiko Android
Seems like a step up in secure. Any thoughts on Steem 2fa?
Posted using Partiko Android
👋
The development of Steemit.com needs to be turned over to the community. Steemit Inc is too slow in a fast paced industry.
very good
Awesome, going to download!
Muy bueno tu articulo de verdad me parece bastante interesante
Interesting.
Yes, this is the question that most steemians worry about. The browsser is a good solution, though that would be uncertain if it might draw the bad guy's attention.
100% support the Keychain project. IMO this is what the community truly need and this should be on one of the top priority in the dev list. Shame the company fail to see how crucial this component is. Keychain makes many DAPP on Steem possible and one of them are the Dice game that requires rapid-firing.
However, I think Keychain should provide a way for user to whitelist certain transaction so the repeated popup can be avoided. Matured crypto extension like Scatter support the whitelist feature so it would definitely enhance the experience of using it especially in a DAPP like dice game.
This feature has already been implemented a while ago. You can whitelist a certain operation requested by a certain website. Only transactions using the active key cannot be whitelisted
Active key transaction is exactly what I meant actually. What was the concern not to allow whitelisting transaction that requires actuve permission?
I understand user's fund maybe at stake and that might sounds like posting a risk to the real money. But at least provide an option for those who would like to whitelist that kind of operation? That would really helps the mass adoption of Steem especially in the DAPP like dice game. And that to me is the final form how Keychain should be like. Users get to customize it to their most convenience.
Posted using Partiko Android
A website whitelisted to use active authority by a user could, if falling into wrong hands :
I think the tradeoff between security and convenience is too big here, thats why we only authorize listing for actions requiring posting authority, since they don t have a direct impact on stake.
I agree and they are all valid concerns. But you can still offer user the ability to decide whether they are willing to go for the tradeoff or not. Maybe the whitelisting process can be more hidden in the setting or put up a significant warning sign in the whitelist page for active authority. Option are tons.
like
Congratulations @yabapmatt!
Your post was mentioned in the Steem Hit Parade in the following category:
Interesting information.
Thank you!
Would be nice to filter only posts in English. Always looking for a way to explore new content on Steemit, but looks like most aren't in English.
Interesting, I always thought it was weird that some sites asked for private keys directly, I just never really understood why. This surely cleared it up a bit. I’ll look into getting keychain now.
This post has been included in the latest edition of SOS Daily News - a digest of all you need to know about the State of Steem.
Editor of the The State of Steem SoS Daily News.
Promoter of The State of Steem SoS Weekly Forums.
Editor of the weekly listing of steem radio shows, podcasts & social broadcasts.
Founder of the A Dollar A Day charitable giving project.
Did @ned or @elipowell have any comments on this?
Steemit's Security Values & How Steem Keychain Can Help,yes i agry with you
Is there any plans for a desktop version?
Thanks anyways for the updates still. It is worth sharing
Magic Dice has rewarded your post with a 14% upvote. Thanks for playing Magic Dice.
Why is it so difficult for developers to begin with the standard API -WebExtensions- which works on every single modern browser -even Edge- and then customize it for each of them?
Posted using Partiko Android
Give my son back his money _ 5 hours ago Transfer 56.000 STEEM to smartmarket https://steemit.com/freedom/@shepz1/i-set-off-to-see-the-world-and-i-did-not-like-what-i-left-behin
Or!
I don't run or have any affiliation with smartmarket...I believe that is run by @therealwolf
Thanks for the info, much appreciated.
Hello!
I am a community manager at Snax. We are trying to make public blockchain based on EOS node. Snax chain will provide transactions over social networks, token supply based on user social influence.
Snax as well as Steemit rewards its users for the content created, but Snax works as overlay solution over existing social networks (e.g. Twitter)
We have no ICO. We already have a testnet, mainnet will be launched this month, and we currently looking for great candidates for Block Producers like yourself. You can find out more about us at our website snax.one
If our project is interesting for you, please let me know by emailing me at [email protected]
Looking forward to hearing from you, and keep rocking this world!
Hey
Posted using Partiko Messaging
Awesome!
@yabapmatt DUDE i just realized, if you sold a little USB dongle to hold your key like a little useful gimmick, I would buy it and many steemians would love it. it would bereally cool to have a keypad enabled hardware wallet for use with steem that could be as simple as a special doingle you needed to make keychain sign transactions... even if it was just a basic standard key fob usbkeychain encrypted usb key thingy..... and had a custom steem engraving or whatever, and worked with ru software, man thatd be legit...
You deserve really to be call Master...infact you are!!!