You are viewing a single comment's thread from:

RE: Hate putting private keys into websites? Introducing Steem Keychain!

in #steem6 years ago

It's my understanding that SteemConnect is just as trustworthy as your keychain. The point of it being a website is that it's accessible across all devices and operating systems. My understanding of SteemConnect is that they never see your private key. They use your key to create a permission token on your device.

The website simply called the Metamask browser extension to sign and broadcast the transactions for it.

And what happens if the contract is meant to steal your money? We can't really vet any of those transactions that pop up for legitimacy. We just trust that they do what the website told us they would do.

When it really comes down to it one has to trust the code. We expect that if the code is malicious a white hat will whistle-blow on it.

I would really love to be corrected about SteemConnect or why this service provides more security. In the link above I concluded that a browser extension would be a great way to provide the illusion of security...

However, why did you make your own product when you could have just extended SteemConnect into a browser extension? It's all open-source.

6 years ago in #steem by
$0.73
  • Past Payouts $0.73
  • - Author $0.55
  • - Curators $0.18
1 vote
Reply 2
Sort:  
  • Trending
    • [-]
     6 years ago  

    My understanding of SteemConnect is that they never see your private key. They use your key to create a permission token on your device.

    I would really love to be corrected about SteemConnect or why this service provides more security

    It is true that SteemConnect never sees your key as it is currently built, but since you are entering your key into a site served by them, they have access to see your key and could see it if, say, someone hacked their server and modified it to do that, or if a malicious site posed as steem connect in a phishing attempt. With the browser extension websites will never get access to your keys in any way, so even if you visit a malicious site or a legitimate site gets hacked, they will never be able to get your keys.

    That's the difference. It's not perfect, and it doesn't mean that you don't still need to be careful with your keys and what transactions you sign. But in my opinion it is a significant improvement over SteemConnect when using a browser that supports it (only Chrome and Brave right now but more to come).

    As far as extending SteemConnect to an extension, that's not as simple as you have made it sound. They are very different products built to do very different things. I believe it was the right call to build this extension from scratch to do what we wanted it to do rather than try to modify SC to do something it wasn't built for.

    $0.02
    • Past Payouts $0.02
    • - Author $0.02
    • - Curators $0.01
    1 vote
    Reply
    [-]
     6 years ago (edited) 

    Thanks for explaining it to me! It's nice to see someone literally introduce a solution to the problem at the same time that I brought it up... lol. Nice work!

    $0.00
      Reply