Nah. The problem with steem is that there's so many apps, it's hard to keep track of what's what. Sometimes I look at links, and think 'yeah, that's a good one, I'll use that', and then forget all about it one week later. Other times I think I'll go check that link out tomorrow, but never get around to it. I did check out Vessel once after seeing one of your links, but can't remember what it was about.
Looking at the link now I see that it's a desktop wallet. We don't need a desktop wallet for steem, do we? The great thing about having it online is that it can't get lost or destroyed in a house fire. Having said that, I don't really know what a desktop wallet is... :D
IMHO using a website-based wallet is a recipe for disaster and has a much, much higher risk than using a desktop wallet.
Everytime you enter your master password or active key on a website - there's a risk that the website has been compromised somehow and you could lose everything. You are trusting that website to not send your keys off to some hackers inbox, and most likely you won't know when it's been compromised until after the funds are gone.
Storing your keys in a desktop wallet prevents the need from ever having to use those keys and accept that risk of entering that sensitive information on a website. You control what version of the software is on your computer, it's encrypted, and the keys never leave the app. If your computer gets compromised/hacked, someone could keylog you or alter your copy of Vessel, but the chances of that are tiny compared to a website getting compromised.
Also regarding the "stored online" - the only place it's stored when using steemit is your browser and anyplace you've chosen to back up your keys/passwords. You could definitely lose it or it could get destroyed in a house fire if that browser is the only place you use it. It's the same with Vessel, since they're both on your computer, but in either case you should have backups someplace that's not on fire :)
Realistically, everyone should be:
Using their posting keys on steemit for everyday activities.
Storing active keys in a desktop/mobile wallet, and never using them on a website.
Never using the owner key on a computer for anything, except account recovery.
Backing up ALL of the keys/passwords offline, someplace that's safe in the event your house burns down.
So yes - we absolutely need a desktop (and mobile) wallets for Steem! Pretending your web browser is a safe place can be very very dangerous, especially when money is involved.
Short of being hacked (or steemit going rogue), my steem isn't getting lost.
Regarding a desktop wallet, can you store a copy of it somewhere else? Is that a valid firesafe mechanism? I always assumed the concept of a hardware wallet was that it was tied to that particular hardware. If that isn't the case, then I can see how controlling your own wallet with offsite backups is the safest approach.
Any operation on the Steem blockchain requires the creation of an operation (JSON) which is then signed by a private key associated with the originating account (or an account auth... but we won't dive into that). These signed operations are then broadcast to the blockchain and added to blocks. The only thing you need to create one of these operations is a valid private key of the appropriate type for the operation. For a transfer - it'd be the active key.
For clarity on terminology - the private keys, which start with 5, are the actual keys. Each private key has a level of permission - posting, active, owner. The master password that steemit.com uses, which starts with P, is different in that it's a seed of sorts that generates all of your private keys. This makes the security of your master password just as critical as security of your owner key.
This is the one piece of information you're always sharing with whatever software you use: your private key. The one exception being SteemConnect using auths, which fixes some of these issues but also raises some different ones. I won't dive into that here.
Since all transactions require some form of private key - now there's a choice of what you can trust with that private key:
You can trust it in your web browser, with all of your extensions, and trusting the web page's code you're visiting.
You can trust it in the cli_wallet application (built by Steemit Inc) running on a server you secure.
You can trust it in a mobile application (like Steemit Inc is building or eSteem by @good-karma) running in an isolated, sandboxed application, on a secure mobile device.
You can trust it in a desktop application (like Vessel) running in an isolated, sandboxed application.
With the first option, in your browser, you're trusting that everything is going to work perfectly, none of your extensions have malware, the webpage you're visiting isn't infected, and that you trust the team behind the site with all of your wealth. You're trusting this every time you enter that private key or master password.
The remaining 3 options all save your private key (potentially encrypted) in an isolated app - that's never going to ask for your key more than once. If encrypted, it'll ask for a password to unlock, but that key isn't being exposed repeatedly to the same risks that the browser has.
The mechanics behind how a site like steemit.com makes a transfer vs how Vessel makes a transfer aren't all that different - but the improvement comes from where that code is firing. Hardware wallets kick it up another notch where you have a dedicated device to house the keys - we don't have that yet for Steem, but if we did, it'd be integrated into something like Vessel :)
Got a little long winded, but you asked a fairly broad question. I hope I answered it and if I didn't, I can try again lol.
You messing with me right now? :)
https://github.com/aaroncox/vessel
Nah. The problem with steem is that there's so many apps, it's hard to keep track of what's what. Sometimes I look at links, and think 'yeah, that's a good one, I'll use that', and then forget all about it one week later. Other times I think I'll go check that link out tomorrow, but never get around to it. I did check out Vessel once after seeing one of your links, but can't remember what it was about.
Looking at the link now I see that it's a desktop wallet. We don't need a desktop wallet for steem, do we? The great thing about having it online is that it can't get lost or destroyed in a house fire. Having said that, I don't really know what a desktop wallet is... :D
IMHO using a website-based wallet is a recipe for disaster and has a much, much higher risk than using a desktop wallet.
Everytime you enter your master password or active key on a website - there's a risk that the website has been compromised somehow and you could lose everything. You are trusting that website to not send your keys off to some hackers inbox, and most likely you won't know when it's been compromised until after the funds are gone.
Storing your keys in a desktop wallet prevents the need from ever having to use those keys and accept that risk of entering that sensitive information on a website. You control what version of the software is on your computer, it's encrypted, and the keys never leave the app. If your computer gets compromised/hacked, someone could keylog you or alter your copy of Vessel, but the chances of that are tiny compared to a website getting compromised.
Also regarding the "stored online" - the only place it's stored when using steemit is your browser and anyplace you've chosen to back up your keys/passwords. You could definitely lose it or it could get destroyed in a house fire if that browser is the only place you use it. It's the same with Vessel, since they're both on your computer, but in either case you should have backups someplace that's not on fire :)
Realistically, everyone should be:
So yes - we absolutely need a desktop (and mobile) wallets for Steem! Pretending your web browser is a safe place can be very very dangerous, especially when money is involved.
My keys are in the cloud as well. ;)
Short of being hacked (or steemit going rogue), my steem isn't getting lost.
Regarding a desktop wallet, can you store a copy of it somewhere else? Is that a valid firesafe mechanism? I always assumed the concept of a hardware wallet was that it was tied to that particular hardware. If that isn't the case, then I can see how controlling your own wallet with offsite backups is the safest approach.
All it takes is one clever guy using an XSS attack while you're trying to do a transfer, and your steem would be gone.
Your keys are just text - you can store them wherever you want. Paper someplace laminated, etched into metal, whatever.
Ok, I'm new to cryptocurrencies, so can you describe the process of say sending me sreem/sbd from a desktop wallet vs the online wallet?
Sure, happy to share.
Any operation on the Steem blockchain requires the creation of an operation (JSON) which is then signed by a private key associated with the originating account (or an account auth... but we won't dive into that). These signed operations are then broadcast to the blockchain and added to blocks. The only thing you need to create one of these operations is a valid private key of the appropriate type for the operation. For a transfer - it'd be the active key.
For clarity on terminology - the private keys, which start with
5, are the actual keys. Each private key has a level of permission - posting, active, owner. The master password that steemit.com uses, which starts withP, is different in that it's a seed of sorts that generates all of your private keys. This makes the security of your master password just as critical as security of your owner key.This is the one piece of information you're always sharing with whatever software you use: your private key. The one exception being SteemConnect using auths, which fixes some of these issues but also raises some different ones. I won't dive into that here.
Since all transactions require some form of private key - now there's a choice of what you can trust with that private key:
cli_walletapplication (built by Steemit Inc) running on a server you secure.With the first option, in your browser, you're trusting that everything is going to work perfectly, none of your extensions have malware, the webpage you're visiting isn't infected, and that you trust the team behind the site with all of your wealth. You're trusting this every time you enter that private key or master password.
The remaining 3 options all save your private key (potentially encrypted) in an isolated app - that's never going to ask for your key more than once. If encrypted, it'll ask for a password to unlock, but that key isn't being exposed repeatedly to the same risks that the browser has.
The mechanics behind how a site like steemit.com makes a transfer vs how Vessel makes a transfer aren't all that different - but the improvement comes from where that code is firing. Hardware wallets kick it up another notch where you have a dedicated device to house the keys - we don't have that yet for Steem, but if we did, it'd be integrated into something like Vessel :)
Got a little long winded, but you asked a fairly broad question. I hope I answered it and if I didn't, I can try again lol.